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World Asthma Day, May 6, 2003 


The fifth annual World Asthma Day will be May 6, 
2003, and will mark the beginning of Asthma and 
Allergy Month. On World Asthma Day, CDC, in col- 


laboration with its worldwide partners, will help raise 


awareness about asthma through various activities, 
including proclamations by government officials and pre- 
sentations by health-care officials. 

During 1980-1996, the prevalence of asthma in the 
United States increased among all age, sex, and racial 
groups. In 2001, an estimated 31.3 million persons 
reported ever having asthma diagnosed, and 20.3 mil- 
lion persons currently had asthma. Each year, approxi- 
mately 14 million days of school absences and 
approximately 100 million days of restricted activity are 
attributed to asthma. 

Additional information about CDC’s National Asthma 
Control Program and its public and private partners is 
available at http://www.cdc.gov/asthma. 


Self-Reported Asthma Prevalence 
and Control Among Adults — 
United States, 2001 


Asthma is a chronic illness that has been increasing in preva- 
lence in the United States since 1980 (/). In 2000, asthma 
accounted for 4,487 deaths, approximately 465,000 hospi- 
talizations, an estimated 1.8 million emergency department 
(ED) visits, and approximately 10.4 million physician office 
visits among persons of all ages (2). To provide prevalence 
data for state and local health department asthma programs, 
the Behavioral Risk Factor Surveillance System (BRFSS) col- 
lects data each year from the 50 states, the District of Colum- 


bia, and three U.S. territories. This report summarizes asthma 






prevalence data for adults collected from the 2001 BRFSS 
survey and from the eight states that used the adult asthma 
history module. Findings from BRFSS indicate that approxi- 
mately 7.2% of U.S. adults have current asthma. ED visits 
for asthma varied more than any other characteristic among 
the eight states that used the adult asthma history module. In 
Mississippi, 67.3% of respondents with current asthma 
reported no ED visits during the preceding 12 months, com- 
pared with 87.6% in Washington state. Continued use of the 
BRFSS asthma prevalence questions and the asthma history 
module will allow state health departments to monitor trends 
in asthma prevalence and control and to direct public health 
asthma interventions. 

BRFSS is a state-based, random-digit—dialed survey of the 
noninstitutionalized civilian U.S. population aged >18 years; 
the survey collects information about modifiable risk factors 
for chronic diseases and other leading causes of death (3). In 
2001, two asthma questions were used as part of the core 
survey by the 50 states, the District of Columbia, Guam, 
Puerto Rico, and the Virgin Islands. Lifetime asthma was 
defined as answering “yes” to the question, “Have you ever 
been told by a doctor, nurse, or other health professional that 
you have asthma?” Current asthma was defined as answering 
“yes” to the lifetime question and to the question, “Do you 
still have asthma?” Weighted prevalence estimates and 95% 
confidence intervals (CIs) were calculated by using SUDAAN 


to account for the complex survey design (4). 
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Che median response rate for all 54 BRFSS reporting areas 


( 0 


was 51.1% (range: 33.3% |New Jersey|—8 1.5% [Puerto Rico}) 
(5). The overall prevalence of lifetime asthma among adults 
was 11.0% (95% Cl] 10.8%-11.2%) (n = 204,797). Life 
time asthma prevalence from all 54 reporting areas ranged 
from 7.5% in Guam to 19.6% in Puerto Rico. Among the 50 
states, lifetime asthma ranged from 8.4% in Nebraska to 
13.3% in Nevada. During 2001, an estimated 15.1 million 
adults in the United States and the District of Columbia had 
current asthma; the overall prevalence was 7.2% (95% Cl 

?.0%-—7.4%). Current asthma prevalence from all 54 report- 
ing areas ranged from 3.5% in Guam to 9.5% in Puerto Rico 
(Table 1). Among the 50 states, current asthma prevalence 


o (Louisiana and South Dakota) to 9.5% 


ranged from 5.3 
(Massachusetts). Current asthma was higher among persons 
] ae) 


who were multiple race and non-Hispanic 2%), followed 


by non-Hispanic blacks (8.5%), non-Hispanic whites (7.2%) 


other race and non-Hispanic (5.9%), and Hispanics (5.7%) 
For this report, seven questions (of the nine questions in the 
asthma history module) were used to measure the level of asthma 
control in respondents with current asthma. Respondents were 
asked to report the number of visits to an ED, urgent 
unscheduled) doctor visits, or routine check-ups; the number 
of days they could not perform their usual activities, had troubl 
with sleep, or had asthma symptoms; and whether they had an 
asthma attack or episode during the preceding 12 months. 
[he overall current asthma prevalence for the eight states that 


used the module was 7.7% (95% Cl] 5% -—8. 1‘ Table 2). 


Current asthma prevalence varied trom 5.3% (South Dakota 


to 9.0% (Michigan). Among respondents with current asthma, 


82.7% reported no visits to an ED during the preceding 12 
O“%o reported no urgent visits to a physician; and 


reported routine check-ups for asthma during the pre 


2 months. An estimated 71.6% of respondents with 


ent asthma reported no days of activity limitation, 60.9% 


reported no days of disturbed sleep, and 21.8% reported hav 


ing no symptoms during the preceding 30 days. An estimated 


of respondents with current asthma reported no asthma 


| | 1 | ’ ) a 1 
tack Or episode during the preceding |2 months. lhe con 


trol characteristics presented were configured so high values 


repre sent POSITive aspects ol isthma management Over time, 


mproved asthma management would result in increased val 


f | 


ues on each of the seven control characteristics 


On each of the seven asthma-control questions, several states 


above or below the CI for the eight state total. South 


] 
Dakota was above 1 | on six of seven questions, indicat 


ng above-average asthma control. Michigan, with the high 
est current asthma prevalence in the eight states, was within 
eight-state total Cl on all questions, indicating an average 


, 
el of asthma control among residents with current asthma. 
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TABLE 1. Prevalence of lifetime* and currentt asthma among survey respon- Reported by: |. Rhod 
dents, by area — Behavioral Risk Factor Surveillance System, United States, the VS. SC Redd MI 
District of Columbia, Guam, Puerto Rico, and the Virgin Islands, 2001 ie’ 





lrronment 


Lifetime asthma Current asthma 
Area No.$ (%) (95% Ci") No. (%) (95% Cl) 


Alabama 2,792 9.7 (8.5-10.9) 2.788 6.3 (5.4-7.3) 
Alaska 2,871 11.6 (9.7—13.3) > 866 73 (5.8-8.8) lung disease that causes wheezing short 
Arizona 3,2 12.¢ 10.7-14.1) 3,249 : (6.8-9.8) 

Arkansas 2,927 0.€ (9.3-11 2,922 ( (5.9-8.1) 

California j Oy 113 162 ; 6 3-80) ness. It is often associated with familial, 
Colorado , 2.1 10 7 2.019 ( 7-9.3) 
Connecticut f 11 24 7.719 3 6) 











Editorial Note: Asthma is a multifactorial 
ness of breath, coughing, and chest tight 


allergenic SOCIOCCONOMIC, Psyc hological, 
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‘lie pills, . ~s and environmental factors (6,7). Asthma 
Delaware 3 ( (10.5-13.§ 505 : : 8) 


District of Columbia 0 (10.3-13.7 881 7 0-8.8) affects proportionately more children than 

Florida 375 9 (8.9- 8 4,666 

Georgia 3 (9.8—12.2) 4,516 7.2 3. , 

re, ; 10 a 183 = than whites (/). Morbidity and mortality 
c vc ' « G ° . « FO © - 


adults, women than men, and nonwhites 


Idaho 8: ] (10.6—12 4.821 8.0 7 : can be partly preventable with better medi 
HHNOIS 4,0( 1.3 2-—12.4 4,001 C ; 3 

a 00 cal, environmental, and self management 
Indiana , 5 5.7 t 

lowa 3,629 9.7 86 3 : 5 2 ) The 2001 BRESS lifetime prevalence 
Kansas 
Kentucky : € ) . 
Louisiana ( = a6 the 2000 BRESS lifetime estimate (10.5% 
ouisiané , 99< £ d 


estimate (11.0%) was slightly higher than 


Maine 
Maryland 


Phis difference might be an actual increase 


M in prevalence or might be associated with a 
Massachusetts 


Michigan - 4 342 9-10 2) minor change in question wording in 2001 
Minnesota ‘ 


he current asthma prevalence in 2001 
Mississippi 


Miss tie a ‘ sp 7.2%) was the same as in 2000. The find 

Vlissour 7é } ‘ 3. / 9.3) 

Viontana 334 8 (103 32° 8.0 5 7 ings in this report indicate no consistent 

Nebraska 696 4 C 

Nevada 571 2 8.3 : I 

Mew Memnshire 063 ‘ ‘ o + ome some variability among the states. Possible 
vv < ' J Bill . YU . < ‘ bs « +) 

New Jersey 009 

New Mexico 3.618 f C ] . . 

New Y ona ppg demographic, socioeconomic (e.g., income 


regional pattern In asthma prevalence and 


j 


reasons for this variability include 


] ] 
North Carolina 5,201 } 1.3 5.1¢ é 5 d and education levels ind environmental 
North Dakota ? 509 
Ohio 3,431 


a } 3.4 j 
Oklahoma 4,545 0 (9.0-11.2 Aan , (6 1-7 8 mate), physician diagnostic procedures, or 


1 
| 


} 
factors (e.g., outdoor air pollution and cl 


. 1] | 
Oregon data-collection practices. In 2001, current 
Pennsylvaniz 
os iva i asthma prevalence estimates were compa 
thode Island . le . . 

: | | v/ ) 
South Carolina 2 ( (9 5-120) 3 19% c ee? rable with 2000 BRESS estimates for 
South Dakota 
Ms 


Tennessee 


ete 5'011 ‘ ia B10! meee ao However, the « 


whites, blacks, and persons ol other races. 


hange in the positioning of 
Utah 3,6 0.7 9.4-12.0) 346 r | (5 the race and ethnicity questions on the 
Vermont . BRESS core survey and the addition of a 
Washinaton 4192 2 | ( 2 1 4 77 4 multiple race Question could h ive 
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1 1 1 
the asthma prevalence estimates when both 


\A Virn 4 C 
West Virginia 5091 


Wisconsin 3,350 , ' , 
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findings in this report are subject t 

Total** 204,797 811.2) 204,359 lhe findings in this report are subject to 
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) " . 4a 
respons rate fo! BRI SS was low (91.1 
Virgin Islands 





however, asthma prevalence is similar to 
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TABLE 2. Percentage of respondents with current* asthma, by selected control characteristics and state — Behavioral Risk Factor 


Surveillance System, eight states, 2001 





Current prevalence 
State No.§ (%) 
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Women with Smallpox Vaccine 
Exposure During Pregnancy 
Reported to the National Smallpox 
Vaccine in Pregnancy Registry — 
United States, 2003 


In the absence of circulating smallpox, pregnant women 
should not be exposed to live vaccinia virus contained in the 
smallpox vaccine. The smallpox vaccine should not be 
1dministered to women who are pregnant or might become 

within 4 weeks iter vaccination because of the risk 


for fetal vaccinia, a rare but serious infection of the fetus. In 


r ' ' 
iddition, persons lose contact (e.g., household con 


] 
ntact) with pregnant women are advised to 


il CO 


iccinatio 


n (/,. ) prevent inadvertent exposure of 


onant women to \ cinia 


virus, screening for pregnancy Is 


1 component of pi nt smallpox vaccination programs. To 


monitor outcome preenal 1 women exposed to small 
llaboration with the Department of 

Food and Drug Administration 
Smallpox Vaccine in Preg 


; 
[his report res data from the regis 


ibout these exposures. ‘ 1 Advisory (Lommiuttec 


) ] : 
on Immunization Practices ecommendations to screen 


- 
ror pregnancy a 1 contrall ) smallpox vaccination 


ladvertent exposures 
I 


be pregnant when 

vithin 28 days of 

gnant were In close 

1 28 days (3). Cases of 

Vaccine during preg 

ealth departments, 

Information Line 

DoD ind throug! 


Adverse Event Report 
ing System (VAERS). Wor 1 re ( egistry will be 


monitored frequent! luring eac trim er and at the con 


clusion of the nt pregnancy outcomes 


Outcomes wi tabulated by trimester and re 


ported 


During November 5, 2001—April 24, 2003, women of re 
i ! 
productive age (18—44 years) were vaccinated against small 


ox in three populations: military personnel, U.S. civilian 


} 
i 
| 
I 


1 | ’ 
1ealth Care and public health workers ind some clinical 


volunteers. Overall, 103 women have inadvert 


} 


- 2 
vaccine while pregnant or have con 


research study 
ently received smallpox 


ceived within 4 weeks of vaccination 


DoD Vaccination Program 


, 


During December 13, 2002—April 22, 2003 


62,222 women of reproductive age wer« screened for small 


pox vaccination, and 52,185 were vaccinated in the military 
program; 85 were inadvertently exposed to smallpox vaccine 
during pregnancy. Of the 75 women with known vaccination 
status, 66 were primary vaccinees. The median age was 22 
years (range: 18-35 years). On the basis of the estimated date 
of conception, 62 women conceived before vaccination and 


23 conceived during the 4 weeks after vaccination. 


Civilian Heath-Care and Public Health 
Workers 

During January 24—April 24, 2003, a total of 6,174 women 
of reproductive age were vaccinated through the civilian pro- 
gram. Six were inadvertently exposed to smallpox vaccine 
during pregnancy. Three of the women were primary vaccinees. 
lhe median age was 31 years (range: 26-38 years). On the 
basis of the estimated date of conception, two women con- 
ceived within 1 week before vaccination and four conceived 
during the 4 weeks after vaccination. Two of the women had 
miscarriages during early pregnancy. An additional two preg- 
nant civilian women were 1n close contact with persons 
recently vaccinated against smallpox. Neither of these women 


have had known signs or symptoms of vaccinia exposure. 


Clinical Studies 

During November 2001—April 24, 2003, a total of 12 
women from clinical studies who had inadvertent exposure 
to smallpox vaccines during pregnancy have been reported to 
the registry. The denominator for women of reproductive age 
for this population is not available. The median age was 28 
years (range: 18—42 years). I ach of the women had a negative 
pregnancy test on the day of vaccination 
Reported by: 


Defense. Sn 


PIS Offy CI 

Editorial Note: Smallpox vaccine can cause fetal vaccinia, a 
rare but serious complication of exposure to the vaccine dur 
ing pregnancy that often results in fetal or neonatal death and 
premature birth (4,5). Fetal vaccinia, which is postulated to 
occur following maternal viremia, is manifested by skin le 
sions and internal organ involvement (4,6). Approximately 
50 cases of fetal vaccinia have ever been reported in the world 
ind three have been reported in the United States. In 1924, 
an infant was born prematurely at 6 months’ estimated gesta- 
tional age (EGA) 4 weeks after the mother’s vaccination dur 
ing a smallpox epidemic; the infant had vaccinia-like skin 
lesions and died shortly after delivery (4). In 1959, vaccinia- 
like skin lesions were observed in a fetus aborted spontane- 
ously at 4.5—5.0 months EGA; the mother was vaccinated at 


9 weeks EGA (6). In 1968, a premature infant born at 32 
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weeks EGA to a mother who was vaccinated at 2 months’ 


EGA had vaccinia-like scars but was otherwise healthy and 
developed normally (2). Affected pregnancies have been 
reported among women vaccinated in all three trimesters and 
among first-time vaccinees, revaccinees, and among unvacci- 
nated close contacts of vaccinees (5). No validated prenatal 
test is available for clinical diagnosis of fetal vaccinia during 
pregnancy (2). 

Except for fetal vaccinia, smallpox vaccine has not been 
clearly shown to cause serious birth defects or other adverse 
events for the fetus or neonate, including premature birth, 
low birthweight, or miscarriage (2). Among the general popu- 
lation, 16%-—31% of pregnancies end in miscarriages; this rate 
is dependent on the gestational age of the pregnancy and other 
maternal risk factors (7,8). No evidence suggests that infants 
without fetal vaccinia born to exposed mothers have serious 
or chronic sequelae. Adverse maternal events have not been 
documented to occur more frequently after exposure to small- 
pox vaccine during pregnancy. Inadvertent exposure of preg- 
nant women to smallpox vaccine should not be a reason to 
consider pregnancy termination because the risk for fetal vac- 
cinia is low (2). 

Because of the risk for fetal vaccinia and potential unknown 
risks to the fetus, smallpox vaccine is contraindicated during 
pregnancy unless a woman is exposed to smallpox. In the 


absence of exposure to smallpox, vaccine also should be 


deferred in women who might conceive within 4 weeks of 


vaccination and in persons who might have close contact with 
pregnant women within 4 weeks of their vaccination. CDC 
and ACIP recommend that all pre-event smallpox vaccina- 
tion programs include pregnancy screening and education 
components with these elements: questioning about the pos- 
sibility of pregnancy before vaccination and excluding those 
at risk, asking about the date of the last menstrual period, 
providing education about fetal vaccinia, counseling women 
to avoid becoming pregnant during the month after vaccina- 
tion, recommending abstinence or highly effective contracep- 
tion, and advising women who believe they might be pregnant 
to perform a first morning urine pregnancy test on the vacci- 
nation day (/). 

Smallpox vaccination screening and education practices in 
the vaccination programs appear to be effective in deterring 
women who are pregnant and might not know it from receiv- 
ing smallpox vaccine and in preventing pregnancy during the 


4 weeks after smallpox vaccination. On the basis of the esti- 


mated number of pregnancies among the U.S. population of 


reproductive-aged women (9,10), CDC estimated the expected 
rate of unknown pregnancy (i.e., pregnancies of <4 weeks’ 
gestation or <6 weeks based on obstetrical dating) and the 


estimated rate of conception during a 4-week period. In the 


general population, both the estimated rate of unknown preg 


nancy and the rate of conception during a 4-week period is 
six per 1,000 reproductive-aged women. Therefore, in the 
absence of screening and counseling, an estimated 12 per 1,000 
reproductive-aged women vacinees could be expected to be 
exposed to smallpox vaccine during pregnancy. Assuming that 
health-care providers have the same age-specific fertility rates 
as the general population, when this rate is adjusted to the 
older age distribution of the civilian health-care workers cur 

rently vaccinated, an estimated four per 1,000 women would 
be pregnant and not know it and an additional four per 1,000 
would be expected to conceive during the 4 weeks after vacci 

nation. The rate of inadvertent exposure during pregnancy 
among women of reproductive age vaccinated during the first 
stage of the civilian and DoD programs is approximately on¢ 
per 1,000. This rate is substantially lower than the approxi 

mately eight per 1,000 women and 12 per 1,000 women who 
would be inadvertently exposed to smallpox vaccine in the 
civilian health-care worker population and in the general popu- 
lation, respectively, in the absence of screening and education. 

Because some women have been inadvertently exposed to 
smallpox vaccine during pregnancy, the U.S. military revised 
education materials for potential vaccinees and expanded the 
questions about pregnancy and intention to become pregnant 
on screening forms. FDA also has enhanced pregnancy screen- 
ing materials and protocols. CDC is reviewing and evaluat- 
ing existing recommendations for pregnancy screening and 
education in the civilian smallpox vaccination program. CDC 
continues to recommend that any woman who has pregnancy 
concerns take a pregnancy test on vaccination day, using her 
first morning urine. However, pregnancy tests might miss very 
early pregnancies and will not detect pregnancies conceived 
after vaccination. None of six reported exposures in the civil- 
ian program would have been prevented by urine pregnancy 
testing on the day of vaccination. 

CDC, in collaboration with state health departments and 
FDA, is conducting a public health investigation to identify 
why civilian pregnant women have been inadvertently exposed 
to smallpox vaccines. DoD is undertaking a similar inquiry 
for military personnel. Information from these investigations 
is expected to guide efforts to improve the pregnancy screen- 
ing and education components of the smallpox vaccination 
programs. 

Health-care providers, state health departments, and other 
public health staff are encouraged to report all exposed preg- 
nant women to the National Smallpox Vaccine in Pregnancy 
Registry. Civilian women should contact their health-care 
provider or state health department for help enrolling in the 
registry. Clinicians or public health staff should report civil- 


ian cases through their state health department or to CDC, 
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telephone 404-639-8253 or 877-554-4625. Military cases 
should be reported to Dob, telephone 619-553-9255, DSN 
553-9255, fax 619-553-7601 or e-mail code25@nhrc.navy. 
mil. To better understand potential adverse events of small- 
pox vaccination during early pregnancy, health-care provid 
ers are encouraged to save and forward products of conception 
from pregnancy losses for vaccinia testing to CDC or DoD. 
Laboratories should freeze specimens at —94 F (—70' C), pret- 
erably in viral transport media. Clinicians can contact the reg 
istry for additional information about forwarding laboratory 


specimens 


Acknowledgments 
s based on data contributed by state health departments 
men enrolled in the regists 
References 
C 1 ‘ 
ind the Healthcare 
ICPAC MMWR 





Update: Severe Acute Respiratory 
Syndrome — United States, 2003 
CDC continues to work with state and local health depart 


ments, the World Health Organization (WHO), and other 


partners to Investigate cases of severe acute respiratory syn- 


drome (SARS). During November 1, 2002 \pril 30, 2003, a 
total of 5,663 SARS cases were reported to WHO from 26 
countries, including the United States; 372 deaths (case 
fatality proportion: 6.6% have been reported 1). This 


report updates information on reported SARS cases among 


U.S. residents and provides an overview regarding CDC's 
issuance of travel alerts and advisories. 

As of April 30, a total of 289 SARS cases were reported to 
CDC from 38 states, of which 233 (81%) were classified as 
suspect SARS, and 56 (19%) were classified as probable SARS 
(more severe illnesses characterized by the presence of pneu- 
monia or acute respiratory distress syndrome) (Figure 1, Table) 


2). Laboratory testing to evaluate infection with the SARS- 


{ 
associated coronavirus (SARS-CoV) has been completed for 
60 cases. Laboratory-confirmed infection, based on detection 
of antibody to SARS-CoV in serum or evidence of virus in 
clinical specimens by reverse transcriptase polymerase chain 
reaction analysis, has been identified in six patients; all were 
probable cases, as described previously (3,4). Negative find- 
ings (i.e., the absence of antibody to SARS-CoV in convales- 
cent serum obtained >21 days after symptom onset) have been 
documented for 54 cases (41 suspect and 13 probable). 

Of the 56 probable SARS patients, 37 (66%) were hospi- 
talized, and two (4%) required mechanical ventilation. One 
patient (2%) was a health-care worker who provided care to a 
SARS patient, and one (2%) was a household contact of a 
SARS patient. The remaining 54 (96%) probable SARS 
patients (including the six patients with positive SARS-Co\ 
laboratory results) had traveled to mainland China; Hong 
Kong Special Administrative Region, China; Singapore; 
Hanoi, Vietnam; or Toronto, Canada. 

\s of April 30, the SARS outbreak control strategy for the 
United States has included issuance of travel alerts and advi- 
sories and distribution of health alert notices to travelers 
arriving from areas with SARS to facilitate early identifica- 
tion of imported cases. Current travel alerts (Hanoi and 
foronto) and advisories (Hong Kong, Taiwan, mainland 
China, and Singapore) can be found at http://www.cdc.gov/ 
ncidod/sars/travel.htm. 

Health alert notices, which have been translated into seven 
languages (Chinese [Simplified and Traditional], French, Japa- 
nese, Korean, Spanish, and Vietnamese), inform the return- 
ing traveler of potential exposure to cases of SARS. They alert 
travelers to the symptoms of SARS and to promptly seek 
medical attention if symptoms develop. Travelers should call 
their health-care provider in advance to report recent travel to 
areas with SARS. The notices also provide information and 
additional instructions for physicians. 

During March 16—April 29, CDC distributed 735,370 
health alert notices to travelers arriving from the areas with 
SARS in Southeast Asia at 22 airports at points of entry into 
the United States. As of April 26, health alert notices have 
been distributed at the Lester B. Pearson International Air- 


port in Toronto to embarking U.S. passengers destined for 58 
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FIGURE 1. Number of reported cases* of severe acute respiratory syndrome, by classification and date of illness onset — United 


States, 2003 
14 
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airports in the United States (Figure 2) and overland cross- 
ings of the U.S.-Canadian border (Figure 3). In addition, 
copies of health alert notices have been provided to cargo and 


cruise ship lines for distribution to crew and passengers. 


Editorial Note: As of April 30, 96% of probable U.S. SARS 
cases have occurred among international travelers, with only 
two instances of secondary transmission associated with these 
cases (5). Since the previous SARS update (4), no additional 
laboratory-confirmed cases have been identified. The collec- 
tion and testing of convalescent serum is critical for labora- 
tory confirmation of cases that have undetermined laboratory 
status. 

CDC issues travel alerts and advisories based on evidence 
of transmission in areas with SARS, translocation of the dis- 


ease, and the effectiveness of local prevention efforts. The 


quality of local disease surveillance and the accessibility of 


medical care in areas with SARS are additional considerations. 
The definitions of travel alerts and advisories are available at 
http://www.cdc.gov/ncidod/sars/travel_alertadvisory.htm. 


Travel alerts and advisories are notifications that an out- 


break of a disease is occurring in a geographic area outside of 


Mar Apr 


Day and month 


the United States. A travel alert, the lower-level notice, pro- 
vides information about the disease outbreak and informs trav- 
elers and resident expatriates of ways to reduce their risk for 
infection. An alert does not include a recommendation against 
nonessential travel to the area. When the health risk for trav- 
elers is thought to be high, a travel advisory is issued that 
recommends against nonessential travel to the area. Travel 
advisories are intended to reduce the number of travelers to 
areas with SARS and the risk for translocating disease to other 
areas. 

In response to the SARS outbreak, CDC provided health 
alert notices to travelers returning from areas with SARS to 
promptly detect potential cases of SARS. These health alert 
notices also helped raise awareness of SARS among health- 
care providers and the general public. 

Iravel alerts and advisories are disseminated through 
media advisories, press briefings, e-mail notifications, and State 
Department advisories. They are posted routinely on the CDC 
Travelers’ Health website at http://www.cdc.gov/travel. Health 
alert notices can be found at http://www.cdc.gov/ncidod/sars/ 


travel_alert.htm. 
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TABLE. Number* and percentage of reported severe acute 
respiratory syndrome (SARS) cases, by selected characteristics 
— United States, 2003 





Probable cases‘ Suspect cases’ 
(n = 56) (n = 233) 


"The wisest mind has Characteristic No. (%)$ No. (%)8 


Age (yrs) 








- ”" 0-4 (13) 36 (15) 
something yet to learn 8 o » « 
° 10-17 (5) 4 (2) 
18-64 (59) (68) 
7 >65 (21) y (9) 
George Santayana Unknown (2) ‘ (1) 
. ; Sex 
Female y (43) (49) 
Male (54) (50) 
Unknown y (4) (0) 
aensue — a _ Race 
MMWR Continuing Educatior White P (46) (56) 
makes it possible for you to stay Black (0) (2) 
current on relevant public health Asian é (45) (36) 
Other (2) (0) 
Unknown (7) (6) 
Exposure 
Travel’ (96) : (91) 
Close contact (2) 6 (7) 
descriptions, Health-care worker (2) 4 (2) 
Hospitalized >24 hrs** 
Yes (66) (22) 
No B (32) (76) 
Unknown (2) (2) 
Required mechanical 
ventilation 
Yes 
No 
Unknown 
SARS-associated 
coronarivus laboratory 
findings 
Confirmed 6 (11) 0 (O) 
Negative 13 (23) 41 (18) 
Undetermined"! 37 (66) 192 (82) 
* N = 289 
CDC. Updated interim U.S. case definition of severe acute respiratory 
syndrome (SARS). Available at http://www.cdc.gov/ncidod/sars 
. casedefinition.htm 
~ Percentages may not total 100% because or rounding 
To mainland China, Hong Kong, Hanoi, Singapore, or Toronto 
* As of April 30, no deaths of SARS patients have been reported in the 
, United States 
Collection and/or laboratory testing of specimens has not been 
completed 
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FIGURE 2. Location of airports with international flights 
arriving from Southeast Asia and Toronto, Canada — United 































* As of April 29 
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FIGURE 3. Distribution points for health alert notices about 
severe acute respiratory syndrome — U.S.-Canadian border, 
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Updated Interim Surveillance Case 
Definition for Severe Acute 
Respiratory Syndrome (SARS) — 
United States, April 29, 2003 


On {pril 29 2003, this report wads posted ow the MMN\ R 
Wwe bsite http: wiwt cdi gol ALIAL Be fore publicatior tj} 


issue an error Was corrected. In the last sevtence of t 





CDC's interim surveillance case definition for severe acut« 


respiratory syndrome (SARS) has been updated to include 
laboratory criteria for evidence of infection with the SARS 
associated coronavirus (SARS-CoV) (Figure, Box). In addi 
tion, clinical criteria have been revised to reflect the possible 
spectrum of respiratory illness associated with SARS-CoV. | pi 
demiologic criteria have been retained. The majority of U.S 
cases of SARS continue to be associated with travel*, with 
only limited secondary spread to household members ot 
health-care providers (/). 

SARS has been associated etiologically with a novel 
coronavirus, SARS-CoV (2,3). Evidence of SARS-Co\ 
infection has been identified in patients with SARS in several 
countries, including the United States. Several new labora 
tory tests can be used to detect SARS-CoV. Serologic testing 
for coronavirus antibody can be performed by using indirect 
fluorescent antibody or enzyme-linked immunosorbent 
assays that are specific ror antibody produced after infection. 
\lthough some patients have detectable coronavirus antibody 


during the acute phase (i.e., within 14 days of illness onset 





FIGURE. Clinical and laboratory criteria for probable and 
suspect severe acute respiratory syndrome (SARS) cases and 
SARS-associated coronavirus (SARS-CoV) infection — United 
States, April 29, 2003 
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BOX. Updated interim U.S. surveillance case definition for severe acute respiratory syndrome (SARS) — United States, April 29, 2003 





Clinical criteria 
¢ Asymptomatic o1 mild respiratory illness 


© Moderate respiratory illness 


lemperature of >100.4 | 38 C)*, and 


One or more clinical findings of respiratory illness (e.g., cough, shortness of breath, difficulty breathing, or hypoxia). 
¢ Severe respiratory illness 
mperature of >100.4 | 38° C)*, and 
One or more clinical findings of respiratory illness (e.g., cough, shortness of breath, difficulty breathing, or hypoxia), 
ind 
radiographic evid f pneumonia, oF 
respiratory distress syndrome, ot 


autopsy findings consistent with pneumonia or respiratory distress syndrome without an identifiable cause 


Epidemiologic criteria 

¢ Travel (including transit in an airport) within 10 days of onset of symptoms to an area with current or recently documented 
or suspected community transmission of SARS’, or 
Close contact® within 10 days of onset of symptoms with a person known or suspected to have SARS infection 


° » « 
aboratory criteria 


Confirmed 
Detection of antibody to SARS-CoV in specimens obtained during acute illness or >21 days after illness onset, ot 
Detection of SARS-CoV RNA by RT-PCR confirmed by a second PCR assay, by using a second aliquot of the 
specimen and a difterent set of PCR primers, o1 
Isolation of SARS-Co\ 


JAtIVe 


:] 1 ] 
Absence of antibody to SARS-CoV in convalescent serum obtained >21 days after symptom onset 


Undetermined: laboratory testing either not performed or incomplete 


‘ase classification** 

7 , ; 
Probable case: meets the clinical criteria for severe respiratory illness of unknown etiology with onset since February 1, 
2003, and epidemiologic criteria laboratory criteria confirmed, negative, or undetermined 


: ’ 
Suspect case: meets the clinical criteria fot moderate respiratory illness of unknown etiology with onset since February 1, 


2003, and epidemiologic criteria; laboratory criteria confirmed, negative, or undetermined 























Vol. 52 / No. 17 


MMWR 





definitive interpretation of negative coronavirus antibody tests 
is possible only for specimens obtained >21 days after onset 
of symptoms. \ reverse transcriptase polymerase chain reac 

ion (RT-PCR) test specific for viral RNA has been positive 
within the first 10 days after onset of fever in specimens from 
some SARS patients, but the duration of detectable viremia 
or viral shedding is unknown. RI-PCR testing can detect 
SARS-CoV in clinical specimens, including serum, stool, and 
nasal secretions. Finally, viral culture and isolation have both 
been used to detect SARS-CoV. Absence of SARS-CoV anti 

body in serum obtained <21 days after illness onset, a nega 

tive PCR test, or a negative viral culture does not exclude 
coronavirus infection. 

Reported U.S. cases of SARS still will be classified as sus 
pect or probable; however, these cases can be further classi- 
fied as laboratory-confirmed or -negative if laboratory data 
are available and complete, or as laboratory-indeterminate if 
specimens are not available or testing is incomplete. Obtain 
ing convalescent serum samples to make a final determina 
tion about infection with SARS-CoV is critical. 

No instances of SARS-CoV infection have been detected 
in persons who are asy mptomatic. However, data are insuffi 
cient to exclude the possibility of asymptomatic infection with 
SARS-CoV and the possibility that such persons can trans 
mit the virus. Investigations of close contacts and health-care 
workers exposed to SARS patients might provide informa 


tion about the occurrence of asymptomatic infected persons. 


Similarly, the clinical manifestations of SARS might extend 
beyond respiratory illness. As more is learned about SARS 
CoV infection, clinical and laboratory criteria will provide a 
framework for classifying the full spectrum of infection 
Figure). 

[his surveillance case definition should be used for report 


ing and classification purposes only. It should not be used for 


clinical management or as the only criterion for identifying 


or testing patients who might have SARS or for instituting 
infection-control precautions (4,5). This definition will be 
updated as new data become available or if changes in the 
epidemiology of SARS occur in the United States. 
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FIGURE I. Selected notifiable disease reports, United States, comparison of provisional 4-week totals ending April 26, 2003, with 


historical data 
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TABLE |. Summary of provisional cases of selected notifiable diseases, United States, cumulative, week ending April 26, 2003 (17th Week)* 





Cum. 
2003 


Cum. 


Cum. 
2003 


Cum. 














2002 


> 
( 








2002 
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Of 10 case: 
* Of 11 cases 
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enter for HIV. STD 
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TABLE Il. Provisional cases of selected notifiable diseases, United States, weeks ending April 26, 2003, and April 27, 2002 


(17th Week)" 





Reporting area 


AIDS 


Chlamydia‘ 


Coccidiodomycosis 


Cryptosporidiosis 


Encephalitis/Meningitis 
West Nile 





Cum. Cum. 





20035 2002 





Cum. Cum. 
2003 2002 





Cum. Cum. 
2003 2002 





Cum. Cum. 


2003 2002 





Cum Cum 
2003 2002 





UNITED STATES 


NEW ENGLAND 
Maine 

N.H 

Vt 

Mass 

Rl 

Conr 


MID. ATLANTIC 
Upstate N.Y 
N.Y. City 

N.J 

Pa 

E.N. CENTRAL 
Unico 


Ind 


N. Dak 
S. Dak 
Nebr 


Kans 
5. ATLANTIC 


>. CENTRAL 


E 
Ky 


Amer. Samoa 
C.N.M.1 


12y 





N: Not notifiable U 


* Incidence data for reportin 


Unavailable 
} years 2002 an 


Chlamydia refers to genital infections cz 


Updated monthly from 


March 30, 2003 


reports to the 


} 
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TABLE Il. (Continued) Provisional cases of selected notifiable diseases, United States, weeks ending April 26, 2003, and April 27, 2002 
(17th Week)* 





Escherichia coli, Enterohemorrhagic (EHEC) 

Shiga toxin positive, Shiga toxin positive, 
0157:H7 serogroup non-0157 not serogrouped Giardiasis Gonorrhea 
Cum. | Cum. Cum. Cum. Cum. Cum. " Cum. Cum. | Cum. 
Reporting area 2003 2002 2003 2002 2003 2002 2002 2003 2002 


UNITED STATES 294 42 41 16 21 


























5 5 
NEW ENGLAND 2 4 { 1 1 
M —aIne 


m 
= 
o>) 


94,039 111,872 


2,215 
57 
36 
28 
875 1,125 
314 302 
905 1,077 
10,169 13,315 
2,241 2,593 
3,295 3,971 
1,721 2,582 
2,912 4,169 


19,650 23,455 
6,206 6,710 
2,036 2,383 
7,891 
4,631 
1,840 


5,748 
1,014 
376 
2,742 
20 
80 
518 
998 
7,905 
558 
2,837 
933 
3,409 
326 
4.748 


“— on 
“WwW IwW-MmP 
=“DAoOaneon~ 


PR 


Amer. Sam 
C.N.M.| 





N: Not notifiable Unave ble No reported c 
* Incidence data for re g years 2002 and 2003 are pr (year-to-date) 
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(17th Week)* 


TABLE II. (Continued) Provisional cases of selected notifiable diseases, United States, weeks ending April 26, 2003, and April 27, 2002 











Haemophilus influenzae, invasive 









Hepatitis 










































NEW ENGLAND 41 50 
Maine 3 1 
N.H 6 4 
Vt 5 3 
Mass 17 24 
RI 1 8 





Conn 


MID. ATLANTIC 









Upstate N.Y. 33 50 
N.Y. City 14 34 
N.J 16 31 





Pa 
E.N. CENTRAL 















Wis 
W.N. CENTRAL 
Minn 


iowa 















Kans 


S. ATLANTIC 
De 

Md 26 
D.C 

Va 7] 
W.Va 3 
N.C 10 
S.C 

Ga 25 
FI 



























a 


E.S. CENTRAL 


x 


ky 
Tenr 22 12 
Ala 15 


Miss 













W.S. CENTRAL 
Ark 4 

La 
} Okla 


Tex 
MOUNTAIN 


Mont 
Idan 
/ 


vyO 





















\A 
. 














Ohio 24 

Ind 13 16 
itl 14 49 
Mich 7 6 


> 


Mo 15 3 
N. Dak 

S. Dak 1 

Nebr 


All ages Age <5 years (viral, acute), by type 
All serotypes Serotype B Non-serotype B Unknown serotype A 
Cum. Cum. Cum. Cum. Cum. Cum. Cum. Cum Cum. Cum. 
Reporting area 2003 2002 2003 2002 2003 2002 2003 2002 2003 2002 
UNITED STATES 499 662 3 7 76 117 12 7 1,702 3,331 











* Incidence data for 





reporting years 2002 and 2003 


are provisional and cumulative (year-to-date 


PR 

V1 

Amer. Samoa U U U L L U l U 
C.N.M.1 U U U J 
N: Not notifiable U: Unavailable No reported cases 
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TABLE Il. (Continued) Provisional cases of selected notifiable diseases, United States, weeks ending April 26, 2003, and April 27, 2002 


(17th Week)* 





Reporting area 


Hepatitis (viral, acute), by type 





B Cc 


Legionelliosis 


Listeriosis 


Lyme disease 








Cum. Cum Cum. 








Cum. Cum. 


2003 2002 





Cum. Cum. 
2003 2002 





Cum. Cum. 
2003 2002 





INITED STATES 


Ay CAI! ANT 
ENGLANI 


2003 2002 2003 


3€ 04 


69 


269 224 


5 8 
1 


1 


124 128 


é 13 


1,442 1,949 


112 





N: Not notifiable 


* Incidence data for r 


year-to-date 
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TABLE Il. (Continued) Provisional cases of selected notifiable diseases, United States, weeks ending April 26, 2003, and April 27, 2002 


(17th Week)* 





Reporting area 


Malaria 


Meningococcal 
disease 


Pertussis 


Rabies, animal 


Rocky Mountain 
spotted fever 








Cum. 
2003 


Cum. 
2002 





2002 





Cum. Cum. 
2003 


Cum. | Cum. 





Cum. | Cum 





Cum Cum 
2003 2002 





UNITED STATES 


W ENGLAND 


MID. ATLANTIC 
‘ inetate 0 
Upstate N.Y 
N.Y. Cit 


€ 


2003 2002 


2003 2002 


3 
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TABLE Il. (Continued) Provisional cases of selected notifiable diseases, United States, weeks ending April 26, 2003, and April 27, 2002 


(17th Week)* 





Reporting area 


Saimonellosis 


Shigellosis 


Streptococcal disease, 
invasive, group A 


Streptococcus pneumoniae, invasive 





Drug resistant, 
all ages Age <5 years 








Cum Cum 
2003 2002 





Cum. 
2003 


Cum. 


2002 





Cum. Cum. 
2003 2002 





Cum. Cum. Cum. Cum. 
2003 2002 2003 2002 











66 


64 


905 872 33 98 


7 
1 
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TABLE Il. (Continued) Provisional cases of selected notifiable diseases, United States, weeks ending April 26, 2003, and Apri! 27, 


(17th Week)’ 


2002 





Reporting area 


Syphilis 





Primary & secondary 


Cong 


enital 


Tuberculosis 


Typhoid fever 


Varicella 
(Chickenpox) 








Cum. Cum. 
2003 2002 





Cum. 





2003 


Cum. 
2002 





Cum. Cum. 


2003 2002 





Cum. Cum. 


Cum 
2003 








UNITED STATES 


NEW ENGLAND 
Maine 

N.H 

Vt 


MID. ATLANTIC 
Upstate N.Y 
N.Y. City 

N.J 

Pa 


E.N. CENTRAL 
Ohio 


S. ATLANTIC 
De 
Md 
D.C 


/ 


5. CENTRAL 


PACIFIC 
Wash 
Oreg 
Ca f 
Alaska 
Hawa 
Guar 


PR 


Amer. Samoa 
C.N.M.! 


2,082 2,026 


v/ 
3 
3 


117 


571 
/1 


2003 2002 
7A 97 


f 


4 4 
4% 





N: Not notifiable 


Jence data for repor 
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TABLE Ill. Deaths in 122 U.S. cities,“ week ending April 26, 2003 (17th Week) 





All causes, by age (years) 


All causes, by age (years) 








All 
Ages 





P&l' 
Total 











Reporting Area 


65 | sual sail snl <1 





Reporting Area 


ATL ANTIC 


All 
Ages | >65 | 45-64 | 25-44 | 1-24 | <1 
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Summary 


New national health information privacy standards have been issued by the U.S. Department of Health and Human Services 
(DHHS), pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new regulations provide 
protection for the privacy of certain individually identifiable health data, referred to as protected health information (PHI). 
Balancing the protection of individual health information with the need to protect public health, the Privacy Rule expressly 
permits disclosures without individual authorization to public health authorities authorized by law to collect or receive the 
information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to public health 
surveillance, investigation, and intervention. 

Public health practice often requires the acquisition, use, and exchange of PHI to perform public health activities (e.g., publi 
health surveillance, program evaluation, terrorism preparedness, outbreak investigations, direct health services, and public health 
research). Such information enables public health authorities to implement mandated activities (e.g., identifying, monitoring, 
and responding to death, disease, and disability among populations) and accomplish public health objectives. Public health 
authorities have a long history of respecting the confidentiality of PHI, and the majority of states as well as the federal government 
have laws that govern the use of, and serve to protect, identifiable information collected by public health authorities. 

The purpose of this report is to help public health agencies and others understand and interpret their responsibilities under the 
Privacy Rule. Elsewhere, comprehensive DHHS guidance is located at the HIPAA website of the Office for Civil Rights (http: 


www.bhs.goviocr/hipaa/). 

































introduction efficiency and effectiveness of the health-care system, HIPAA 


a one ; ae included administrative simplification provisions that required 
he shift of medical records from paper to electronic for- : ; 
DHHS to adopt national standards for electronic health-care 


mats has increased the potential for individuals to access, use, . , ; 
ie transactions (2). At the same time, Congress recognized that 
and disclose sensitive personal health data. Although protect- . git 
Rape , ; +f, advances in electronic technology could erode the privacy of 
ing individual privacy is a long-standing tradition among gr ' oF ' : 
. é; ‘ by ; Sa ' ; health information. Consequently, Congress incorporated into 
health-care providers and public health practitioners in the . tig ' -. ae ; 
apse F ; ; HIPAA provisions that mandated adoption of federal privacy 
United States, previous legal protections at the federal, tribal, ‘ ener te é te 
ile protections for certain individually identifiable health infor- 
state, and local levels were inconsistent and inadequate. A 
; k of | ded : ¢ mation. 
yatCnwork OF laws provided narrow privacy protections for _— 7 . . ; 
; darn The HIPAA Privacy Rule (Standards for Privacy of Indi- 
selected health data and certain keepers of that data (/). ; a ; me " 
The U.S. D € Health iH Cory; vidually Identifiable Health Information) (3) provides the first 
1e U.S. Department of Health and Human Services , 


national standards for protecting the privacy of health infor- 

(DHHS) has addressed these concerns with new privacy stan- i ak ‘ : ae ie : 
om one iil. mation. The Privacy Rule regulates how certain entities, called 

dards that set a national minimum of basic protections, while : 


mi haeaag ae ‘eh is ax covered entities, use and disclose certain individually identifi- 
balancing individual needs with those of society. The Health 


a see able health information, called protected health information 
Insurance Portability and Accountability Act of 1996 (HIPAA) 


(PHI). PHI is individually identifiable health information that 
was adopted to ensure health insurance coverage after leaving : ae 
eae ee is transmitted or maintained in any form or medium (e.g., 
an employer and also to provide standards for facilitating ; ‘a. 
: = ae . electronic, paper, or oral), but excludes certain educational 
health-care-related electronic transactions. To improve the 3 
records and employment records. Among other provisions, the 





Privacy Rule 
. Prepared by CDC staff, in consultation with the Office of the General Counsel 





* gives patients more control over their health information; 
the Office for Civil Rights, other offices and agencies within the U.S c ; : 
Department of Health and Human Services, Washington, D.C., and health * sets boundaries on the use and release of health records; 
privacy specialists ¢ establishes appropriate safeguards that the majority of 


health-care providers and others must achieve to protect 





‘ > priv: »f he information; 
The material in this report originated in the Epidemiology Program the privacy < f health information 


Office, Stephen B. Thacker, M.D., M.Sc., Director. 
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holds violators accountable with civil and criminal penal- For example, covered entities may disclose PH1, without indi- 
ties that can be imposed if they violate patients privacy vidual authorization, to a public health authority legally 
rights; authorized to collect or receive the information for the pur- 
strikes a balance when public health responsibilities sup- pose of preventing or controlling disease, injury, or disability 
port disclosure of certain forms of data; [45 CFR § 164.512(b)} (Box 1). Further, the Privacy Rule 
enables patients to make informed choices based on how permits covered entities to make disclosures that are required 
individual health information may be used; by other laws, including laws that require disclosures for pub- 
enables patients to find out how their information may lic health purposes. 

be used and what disclosures of their information have Thus, the Privacy Rule provides for the continued func- 
been made; tioning of the U.S public health system. Covered entities should 
generally limits release of information to the minimum become fully aware of the scope of permissible disclosures for 
reasonably needed for the purpose of the disclosure; public health activities as well as state and local reporting laws 
generally gives patients the right to obtain a copy of their and regulations. Moreover, a public health authority may also 
own health records and request corrections; and 


empowers individuals to control certain uses and disclo BOX 1. Protected health information (PHI) disclosures by 
; covered entities for public health activities requiring no 


sures of their health information authorization under the Privacy Rule 


Che deadline to comply with the Privacy Rule is April 14, 





2003, for the majority of the three types of covered entities Without individual authorization, a covered entity may 
specified by the rule [45 CFR § 160.102]. The covered enti disclose PHI to a public health authority* that is legally 
OES See authorized to collect or receive the information for the 
* health plans, purposes of preventing or controlling disease, injury, or 
x ee i and — ae disability including, but not limited to 
* health-care providers who transmit health information in © reporting of disease. it ry. vital events (e.¢.. bir 

electronic form in connection with certain transactions. ee ern nom 


Ar DHHS, the Office for Civil Rights (OCR) has oversight 


and enforcement responsibilities for the Privacy Rule. Com 


or death); and 
* conducting public health surveillance, investigations, 
and interventions. 
re > guidance ¢ OCR ansv lre : . = . 
prehensive guidance and R answers to hundreds of ques PHI may also be disclosed without individual authori- 
tions are available at http://www.hhs.gov/ocr/hipaa (4) 
t Zation to 
¢ report child abuse or neglect to a public health or other 


Impact on Public Health 


government authority legally authorized to receive such 
Public health practice and research, including such tradi reports, 
tional public healrh activities as program operations, public a person subject to jurisdiction of the Food and Drug 
health surveillance, program evaluation, terrorism prepared \dministration (FDA) concerning the quality, satety, 
ness, outbreak investigations, direct health services, and pub or effectiveness of an FDA-related product or activity 
lic health research, use PHI to identify, monitor, and respond for which that person has responsibility; 
to disease. death. and disabilin among populations. Public a person who may have been exposed to a communi 
health authorities have a long history of protecting and pre cable disease or may be at risk for contracting or spread 
serving the confidentiality of individually identifiable health ing a disease or condition, when legally authorized to 
information. They also recognize the importance of protect nowy the person as necessary to conduct a public 
ing individual privacy and respecting individual dignity to health intervention or investigation; and 
maintaining the quality and integrity of health data. CD¢ an individual's employer, under certain circumstances 
‘ oO ’ . — 1 
and others have worked to consistently strengthen federal and and conditions, as needed for the employer to meet 
state public health information privacy practices and legal pro- the requirements of the Occupational Safety and 
rections (5) Health Administration, Mine Safety and Health Ad- 


DHHS recognized the importance of sharing PHI to ministration, or a similar state law. 





accomplish essential public health objectives and to meet cer- Source: Adapted from [45 CFR § 164.5 


Or to an entitv wo } ler a grant of authority from a public health 
tain other societal needs (c.g. administration of justice and ' ‘ 
. vhen directed | public health authority, to a foreign 

law enforcement). Therefore, the Privacy Rule expressly per- 


, ic | lr 
collaboration wit! public health 


mits PHI to be shared for specified public health purposes. 
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be a covered entity. For example, a public health agency that 
operates a health clinic, providing essential health-care ser- 
vices and performing covered transactions electronically, is a 
COV ered entity. 

Chis report provides guidance to public health authorities 
and their authorized agents, researchers, and health-care pro- 
viders in interpreting the Privacy Rule as it affects public health. 
CDC recommends that public health authorities share the 
information in this report with covered health-care providers 
and other covered entities and work closely with those entities 
to ensure implementation of the rule consistent with its 
intent to protect privacy while permitting authorized public 


health activities to continue. 


Overview of the Privacy Rule 
Who Is Covered 


Phe authority of DHHS to issue health-information pri- 
vacy regulations was limited by Congress in HIPAA to a 
defined set of covered entities. More complete definitions of 
these, and other terms, are located elsewhere in this report 
(Appendix A). Covered entities are as follows: 

* Health plans. An individual or group plan that provides, 
or pays the cost of, medical care that includes the diagno- 
sis, Cure, mitigation, treatment, or prevention of disease. 
Health plans include private entities (e.g., health insurers 
and managed care organizations) and government orga- 
nizations (e.g., Medicaid, Medicare, and the Veterans 
Health Administration). 

Health-care clearinghouses. A public or private entity, 
including a billing service, repricing company, or com- 
munity health information system, that processes non- 
standard data or transactions received from another entity 
into standard transactions or data elements, or vice versa. 
Health-care providers. A provider of health-care services 
and any other person or organization that furnishes, bills, 
or is paid for health care in the normal course of business. 
Health-care providers (e.g., physicians, hospitals, and clin- 
ics) are covered entities if they transmit health informa- 
tion in electronic form in connection with a transaction 
for which a HIPAA standard has been adopted by DHHS. 

The Privacy Rule also establishes requirements for covered 
entities with regard to their nonemployee business associates 
(e.g., lawyers, accountants, billing companies, and other con- 
tractors) whose relationship with covered entities requires shar 
ing of PHI. The Privacy Rule allows a covered provider or 
health plan to disclose PHI to a business associate if satisfac 
tory written assurance is obtained that the business associate 


will use the information only for the purposes for which it 


was engaged, will safeguard the information from misuse, and 
will help the covered entity comply with certain of its duties 
under the Privacy Rule. 

The Privacy Rule does not apply to all persons or entities 
that regularly use, disclose, or store individually identifiable 
health information. For example, the Privacy Rule does not 
cover employers, certain insurers (e.g., auto, life, and worker 
compensation), or those public agencies that deliver social 
security or welfare benefits, when functioning solely in these 


capacities. 


Types of Health Information 


Protected Health Information 


he Privacy Rule protects certain information that covered 
entities use and disclose. This information is called protected 
health information (PHI), which is generally individually iden 
tifiable health information that is transmitted by, or main- 
tained in, electronic media or any other form or medium. This 
information must relate to 1) the past, present, or future physi- 
cal or mental health, or condition of an individual; 2) provi- 
sion of health care to an individual; or 3) payment for the 
provision of health care to an individual. If the information 
identifies or provides a reasonable basis to believe it can be 
used to identify an individual, it is considered individually 


identifiable health information. 


De-Identified Information 


De-identified data (e.g., aggregate statistical data or data 
stripped of individual identifiers) require no individual pri- 
vacy protections and are not covered by the Privacy Rule. 
De-identifying can be conducted through 

° statistical de-identification a properly qualified statis- 
tician using accepted analytic techniques concludes the 
risk is substantially limited that the information might be 
used, alone or in combination with other reasonably avail- 
able information, to identify the subject of the informa- 
tion [45 CFR § 164.514(b)]; or the 
safe-harbor method a covered entity or its business 
associate de-identifies information by removing 18 iden- 


2) and the covered entity does not have actual 


tifiers (Box 
knowledge that the remaining information can be used 
alone or in combination with other data to identify the 
subject [45 CFR § 164.514(b)]. 
In certain instances, working with de-identified data may have 
limited value to clinical research and other activities. When 


that is the case, a limited data set may be useful. 
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BOX 2. individual identifiers under the Privacy Rule 





he following 18 identifiers of a person, or of relatives, 
employers, or household members of a person must be 
removed, and the covered entity must not have actual 
knowledge that the information could be used alone or in 
combination with other information to identify the indi- 
vidual, for the information to be considered de-identified 
and not protected health information (PHI): 
* names; 
¢ all geographic subdivisions smaller than a state, in 
cluding county, city, street address, precinct, zip code,” 
and their equivalent geocodes; 
all elements of dates (except year) directly related to 
an individual; all ages >89 and all elements of dates 
including year) indicative of such age (except for an 
aggregate into a single category of age >90); 
telephone numbers; 
fax numbers 
electronic mail addresses; 
Social Security numbers; 
medical record numbers; 
health-plan beneficiary numbers; 
account numbers; 
certificate and license numbers; 
vehicle identifiers and serial numbers, including 
license plate numbers; 
medical device identifiers and serial numbers; 
Internet universal resource locators (URLs); 
Internet protocol (IP) addresses; 
biometric identifiers including fingerprints and voice 
prints 
tull-tace photographic images and any comparable 
images; and 
any other unique identifying number, characteristic, 
or code, except that covered identities may, under cet 
tain circumstances, assign a code or other means of 
record identification that allows de-identified infor 


mation to be re-identified 





Source Aday 1] +> 





BOX 3. Use of limited data sets under the Privacy Rule 





he following protected health information (PHI) can 
be included, without authorization, in a limited data set 
for public health, research, or health-care operations: 
* town or city, state, and zip code; and 
¢ elements of dates related to a person (e.g., years, birth 
dates, admission dates, discharge dates, and dates of 
death). 
lo disclose a limited data set, a covered entity must en- 
ter into a data-use agreement with the recipient, which 
agrees to use or disclose the PHI for limited purposes. 
Disclosure of a limited data set is not subject to the ac- 
counting requirement, but must meet the minimum nec- 


essary standards of the Privacy Rule. 











Limited Data Sets 








permitted to use or receive the limited data set, and provide 
that the recipient will 

¢ not use or disclose the information other than as permit- 
ted by the agreement or as otherwise required by law; 
use appropriate safeguards to prevent uses OI disclosures 
of the information that are inconsistent with the data-use 
agreement; 
report to the covered entity any use or disclosure of the 
information, in violation of the agreement, of which it 
becomes aware; 
ensure that any agents to whom it provides the limited 
data set agree to the same restrictions and conditions that 
apply to the limited data set recipient with respect to such 
information; and 
not attempt to re-identify the information or contact the 


individual. 


What is Required 


For covered entities using Of disclosing PHI, the Privacy 


Rule establishes a range of health-information privacy require- 
ments and standards that attempt to balance individual pri- 
vacy interests with the community need to use such data [45 
CFR § 164.504]. Among its provisions, the Privacy Rule 
requires covered entities to 

® notify individuals regarding their privacy rights and how 

thei PI 1] 1S used oO! disclosed; 
¢ adopt and implement internal privacy policies and proce 


dures; 


Health information in a limited data set is not directly iden- * train employees to understand these privacy policies and 


tifiable, but may contain more identifiers than de-identified procedures as appropriate for their functions within the 


data that has been stripped of the 18 identifiers [45 CFR § covered entity; 


164.514] (Box 3). A data-use agreement must establish who is 
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designate individuals who are responsible for implement 
ing privacy policies and procedures, and who will receive 
privacy-related complaints; 

establish privacy requirements in contracts with business 
associates that perform covered functions; 

have in place appropriate administrative, technical, and 
physical safeguards to protect the privacy of health infor 
mation; and 

meet obligations with respect to health consumers exet 
cising their rights under the Privacy Rule. 

With respect to individuals, they are vested with the follow 

ing rights: 

* Receive access to PHI. Individual rights include inspec 
tions of records and the provision for copies of PHI about 
the individual in a designated record set, for as long as the 
PHI is maintained in the designated record set, except for 
psychotherapy notes, information complied for use in civil, 
criminal, or administrative actions, and PHI maintained 
by a covered entity subject to the Clinical Laboratory 
Improvement Amendments of 1988 [42 CFR § 263(a)]. 
In the majority of cases, covered entities must accommo 
date a request or provide a process of denial, subject to 
review [45 CFR § 164.524]. 

Request amendments to PHI. Individuals can request that 
covered entities amend PHI about the individual in a des 
ignated record set for as long as the PHI is maintained in 
a designated record set. If the covered entity agrees to the 
amendment, it must 1) identify the records affected; 

append or provide a link to the amendment; 3) inform 
the individual the amendment has been made; and 4) work 
with other covered entities or business associates who pos 
sess or receive the data to make the amendments [45 CFR 
§ 164.526]. If the covered entity denies this request, the 
Privacy Rule provides a process for contesting the denial 

45 CFR § 164.526}. 

Receive adequate notice. With limited exceptions, indi 
viduals have the right to receive a notice of the uses and 
disclosures the covered entity will make of their PHI, their 
rights under the Privacy Rule, and the covered entity's 
obligations with respect to that information. In certain 
cases, notice may be provided electronically. The notice 


must be in plain language (e.g., “your health information 


may be shared with public health authorities for public 


health purposes . . .” ) and posted where it is likely to be 
seen by patients [45 CFR § 164.520}. 

Receive an accounting of disclosures. Upon request, cov 
ered entities are required to provide individuals with an 
accounting for certain types of disclosures of PHI, 
although the rule contains certain exceptions, including 


disclosures with individual authorization, disclosures 


related to providers’ treatment, payment and health-care 
operations (TPO), and other exceptions. A typical a 
ccounting includes the name of the person or entity who 
received the information, date of the disclosure, a brief 
description of the information disclosed, and a brief « 
xplanation of the reasons for disclosure oO! COpy ot the 
request [45 CFR § 164.528]. However, requirements for 
accounting of public health disclosures may vary (se« 
Accounting for Public Health Disclosures). 

Request restrictions. Individuals have the right to request 
a restriction on certain uses or disclosures of their PHI; 
however, the covered entity 1s not obligated to agree to 
such a request. If the covered entity does agree to a restric 
tion, it must generally abide by the agreement, except for 
emergency treatment situations. But such an agreement is 
not effective to prevent certain permitted uses or disclo 


sures [CFR 45 § 164.512]. 


Required PHI Disclosures 


\ covered entity is required by the Privacy Rule to disclose 
PHI in only two instances: 1) when an individual has a right 
to access an accounting of his or her PHI (see previous para 
graph); and 2) when DHHS needs PHI to determine compli 
ance with the Privacy Rule [45 CFR § 164.502(a)(2)]. Certain 
other uses and disclosures of PHI may be permitted without 
authorization, but are not required by the Privacy Rule. How 
ever, other federal, tribal, state, or local laws may compel dis 


closure. 


Permitted PHI Disclosures Without 
Authorization 


Che Privacy Rule permits a covered entity to use and dis 
close PHI, with certain limits and protections, for TPO 
activities [45 CFR § 164.506]. Certain other permitted uses 
and disclosures for which authorization is not required fol 
low. Additional requirements and conditions apply to thes« 
disclosures. The Privacy Rule text and OCR guidance should 
be consulted for a full understanding of the following: 

© Required by law. Disclosures of PHI are permitted when 

required by other laws, whether federal, tribal, state, o1 
local. 

Public health. PHI can be disclosed to public health 
authorities and their authorized agents for public health 
purposes including but not limited to public health sur 
veillance, investigations, and interventions. 

Health research. A covered entity can use or disclose PHI 
for research without authorization under certain condi 
tions, including 1) if it obtains documentation of a waiver 
from an institutional review board (IRB) or a privacy 


board, according to a series of considerations; 2) for 
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\Ctivities preparatory to research; at tor research on a ¢ explain the potential for the information to be subject to 


decedent's information redisclosure by recipient and no longer protected by the 


Abuse, neglect, or domestic violet PHI may be dis Privacy Rul 
closed to report ibuse nevgicct adomestic violence 


under specified circumstances 


Law entorcement. Covered entities may, under specified The Privacy Rule and Public Health 


conditions, disclose PHI to law enforcement officials pur 


1 
The Privacy Rule recognizes 1) the legitimate need for pub 
suant to a court orde! subpoena, Ol other legal order, tO 


lic health authorities and others responsible for ensuring the 
help identify and locate a suspect, fugitive, or missing public’s health and safety to have access to PHI to conduct 
information related to a victim of a their missions; and 2) the importance of public health 
ave resulted fron rime, Ol ing by covered entities to id 

to report a crin individuals. According] 
Judicial and administrative proceedings. A covered entity without a written patient authorization for 


disclose PHI in the course of a | cial or adminis 


| 1.1 | | 1 1 
ate lth purposes to public healt! vuthorities legally 
proces 


to collect an ceive the information for such purposes, and 


re required b state and local pu 


Howe Cl bec ill 
s the traditional wavs PHI is used and ey 


j \ 1 | ’ 
ed entities y loctors, hospitals, and nea 


Other Authorized Disclosures 
\ \ ilid wtno;4i 

ot PHI that ts 

suthorization DY) 


tions 


ation [OSHA 


FETICICS 


, ; 
conduct their authorized pub 


x} 
notify the individual of | | } Litt | 

c healt swith other entities by using different mecha 
at any time In writing V tO exercis¢ , 


contracts and memoranda or letters of agreement 


any applicable exc« r ot , , : 
PI : (hese other entities are public health authorities under the 
Rule; and . ; ; ; 
Privacy Rule with respect to the activities they conduct undet 
a grant of authority from such a public health agency. A 


covered entity may disclose PHI to public health authorities 
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BOX 4. Examples of situations related to the Privacy Rule and public health 





State cancer registry. Under a state law, health-care provid- 
ers are required to report cancer cases to a state's cancer regis- 
try. Names are included to prevent duplicate reporting and 
counting. State law protects the confidentiality of the data. 
Can covered entities disclose the information under the Pri 
vacy Rule? 

Privacy Rule effect. Covered entities may disclose PHI to a 
public health agency, or any other entity, when the disclosure 
is required by law. However, as covered entities, the providers 
must give an accounting to the persons whose PHI has been 
shared. The state agency may use and further disclose the PHI 
consistent with applicable state law. 

State university-maintained cancer registry. Under a state 
law, health-care providers are mandated to report cancer cases 
to a state health department's cancer registry. The state health 
department contracts with a state university to receive the 
reports and maintain its registry. As covered entities, can health 
care providers disclose PHI to the state university under the 
Privacy Rule? 

Privacy Rule effect. As noted in the previous example, cov 
ered entities may disclose, without authorization, PHI to the 
cancer registry under the Privacy Rule, which expressly pet 
mits disclosure of PHI as required by law and sharing of PHI 
with public health authorities for public health purposes. The 
state university is acting under a grant of authority from a public 
health authority, the state health department. The university 
can use and disclose the information, without authorization, 
consistent with its agreement with the state health department 
and applicable state law. 

Early hearing detection and intervention. An early hear 
ing detection and intervention program in a state needs data 
trom two large hospitals. The state does not have a law requit 
ing reporting of hearing loss. Under the Privacy Rule, can cov 
ered entities release results of newborn hearing-screening tests 
to the state program? 

Privacy Rule effect. The Privacy Rule expressly permits 
release of PHI, without authorization, from a covered entity 
to a public health authority (e.g., the state health department), 


which is authorized by law to receive PHI for the purpose of 





controlling disease, injury, or disability. The rule does not 
require a state law mandating such disclosures for PHI to be 
released to a public health authority. Finally, the covered 
entities may rely upon the state’s representation that the 
information requested is the minimum necessary for the put 
poses of the registry. 

Disease registry maintained by private foundation. A 
private foundation maintains a disease registry as a way to 
support research and service for those with the disease. Can 


health-care providers release PHI to the foundation under 


the Privacy Rule? 


Privacy Rule effect. Nongovernment disease registries (e.g., 


those maintained by foundations and other private organiza 
tions) are not considered public health authorities unless they 
have a grant of authority from a public health authority. With 
such a grant, covered entities may disclose PHI to the foun 
dations. But without a grant of authority, PHI may be 
released only under one of the following situations: 

* Release is authorized by the patient 

° The PHI is de-identified 

¢ The PHI is contained in a limited data set governed by 
a data-use agreement. 
Release of PHI is in accord with the rule’s provisions 
fol disclosure for research without authorization. 
Release is otherwise permitted by the rule (e.g., to 
entities subject to the jurisdiction of the Food and Drug 
Administration (FDA) [45 CFR § 164.512(b)(1) (ii 

Surveillance project. A state health department that is not 
a covered entity conducts a surveillance project on human 
immunodeficiency virus (HIV) and acquired immunodefi 
ciency syndrome (AIDS). The HIV/AIDS surveillance project 
is an interview study. It asks for self reported information 
from participants, including dates of diagnosis and visits for 
care. Is this PHI covered by the Privacy Rule? 

Privacy Rule effect. Information collected directly from 
persons by a person, agency, or institution that IS not a COV 
ered entity, including individually identifiable information 


is not covered by the Privacy Rule. 








and to these designated entities pursuant to the public health 
provisions of the Privacy Rule. 

Che Privacy Rule permits covered entities to disclose PHI, 
without authorization, to public health authorities or othet 
entities who are legally authorized to receive such reports for 
the purpose of preventing or controlling disease, injury, o1 
disability. This includes the reporting of disease or injury; 
reporting vital events (e.g., births or deaths); conducting pub 
lic health surveillance, investigations, or interventions; report- 


ing child abuse and neglect; and monitoring adverse outcomes 


related to food (including dietary supplements), drugs, bio- 
logical products, and medical devices [45 CFR 164.512(b)}. 
Covered entities may report adverse events related to FDA- 
regulated products or activities to public agencies and private 
entities that are subject to FDA jurisdiction [45 CFR 
164.512(b)(1)(iii)]. To protect the health of the public, pub- 
lic health authorities might need to obtain information 
related to the individuals affected by a disease. In certain cases, 
they might need to contact those affected to determine the 


cause of the disease to allow for actions to prevent further 
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illness. Also, covered entities may, at the direction of a public 
health authority, disclose protected health information to a 
foreign government agency that is acting in collaboration with 
’ public health authority [45 CFR 164.512(b)(1)(i) 
fo receive PHI for public health purposes, public health 
authorities should be prepared to verify their status and iden 
tity as public health authorities under the Privacy Rule. To 
verify its identity, an agency could provide any one of the fol 
lowing 
¢ if che request is made in person, presentation of an agency 
identification badge, other official credentials, or othet 
proof of government status 
if the request is in writing, the request is on the appropri 
ate government letterhead 
if the disclosure is to a person acting on behalf of a public 
health authority, a written statement on appropriate gov 
ernment letterhead that the person is acting under the 


| ) 


governments authority [45 CFR § 164.514(h 


Public health authorities receiving information from covered 
entities as required or authorized by law [45 CFR 164.512(a 
FR 164.512(b)] are not business associates of the cov 
ered entities and therefore are not required to enter into Dus! 
- ’ Publ } Irl horiti rl 
ness associate agreements ubDlic health authorities that are 
not covered entities also are not required to enter into busi 


, 1: 1] 
ness associate agreements with thei! public health partners < 
, 


contractors. Also, after PHI is disclosed to a public heal 


authority pursuant to the vacy Rule, the public health 


vuthority (if it is not a covere ntity) may maintain, use, and 
iecines the d tent with the lay rulat 
aisciose the Gata Consistent wit I iaws, regulations, ane 


licabl he public healrl , 
policies applicable to the public health authority 


Disclosures for Public Health Purposes 


[| ivacy Kul llows covered entities to disclose PHI to 
public health authorities when required by tederal, tribal, state 
or local laws [45 CFR cludes state laws 
or state procedure 
for receiving reporting hild abuse, birth 
oO! death Ol conducting pt neaitn su veillance 
tion, or intervention 

For disclos sia 
still disclose 
1uthorized bi 
purpose of pre' 
ibility, che 
intended public health purpose of the disclosurs 
164.512 (b Box | 

For ¢ kample to protect the he ilth of the public public health 

, 


officials might need to obtain information related to persons 


aftected by i disease. In certain Cases the \ might need to con 


tact those affected to determine the cause of the disease to 
allow for actions to prevent further illness. The Privacy Rule 
continues to allow for the existing practice of sharing PHI 
with public health authorities who are authorized by law to 
collect or receive such information to aid them in their mis- 
sion of protecting the health of the public. Examples of such 
activities include those directed at the reporting of disease or 
injury, reporting adverse events, reporting births and deaths, 
and investigating the occurrence and cause of injury and dis 
ease (/). 

Although it is not a defined term, DHHS interpreted the 
phrase “authorized by law” to mean that a legal basis exists for 
the activity. Further, DHHS called the phrase “a term of art, 
including both actions that are permitted and actions that are 
required by law [64 FR 59929, November 3, 1999]. This does 
not mean a public health authority at the federal, tribal, state, 
or local level must have multiple disease or condition-specific 
laws that authorize each collection of information. Public 
health authorities operate under broad mandates to protect 


1 j ] 
the health of their constituent populations. 


Requirements for Covered Entities 


Accounting for Public Health Disclosures 


Although the Privacy Rule permits disclosures of PHI to 
public health authorities, covered entities must comply with 
certain requirements related to these disclosures. One such 
requirement is that a covered entity must be able to provide 
an individual, upon request, with an accounting of certain 


disclosures of PHI. The covered entity is not required to 


account for all disclosures of PH1. For example, an account 


is not required for disclosures made 


e s compliance date; 


prior to the covered entit 
* tor 1PO purposes 


¢ to the individual o1 


} 


wuthorization,; oO! 


, 
s part of a limited data set 


wevel usually in accounting Is required rol disclosures 


\ F ' , , , 
m ide without authorization including public health purposes. 


t 


The required accounting for 


iccomplished in different ways. lypically the covered entity 


' , 1 1 1 
must provide the individual with an accounting of eacn 


disclosure by date, the PHI disclosed, the identity of the 


l 


cipient ol! ind the purpose ol the disclosure. 


However, where the covered entity has, during the accounting 


period, made multiple disclosures to the same recipient fot 
the same purpose, the Privacy Rule provides for a simplified 
means o! accounting. In suc h Cases, the covered entity need 


only identify the recipient of such repetitive disclosures, the 
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purpose of the disclosure, and describe the PHI routinely 
disclosed. The date of each disclosure need not be trac ked. 
Rather, the accounting may include the date of the first and 
last such disclosure during the accounting period, and a 
description of the frequency or periodicity of such disclosures. 
For example, the vast amount of data exchanged between 
covered entities and public health authorities is made through 
ongoing, regular reporting or inspection requirements. A 
covered health-care provider may routinely report all cases of 
measles it diagnoses to the local public health authority. An 
accounting of such disclosures to a requesting individual would 
need to identify the local public health authority receiving 
the PHI, the PHI disclosed, the purpose of the disclosure 
(required for communicable disease surveillance), the 
periodicity (weekly), and the first and last dates of such 
disclosures during the accounting period (May 1, 2003 to 
June 1, 2003). Thus, the covered entity would not need to 
annotate each patient's medical record whenever a routine 


public health disclosure was made. 


Notice of Privacy Practices 


With certain exceptions, under the Privacy Rule, individu- 
als have the right to adequate notice of the uses and disclo 
sures of PHI that may be made by the covered entity, as well as 
their rights and the covered entity's legal obligations. Notices 
must be in plain language and clearly posted. Certain covered 
entities must make a good faith effort to obtain an individual's 
acknowledgment of receipt of this notice. In certain cases, 


notice may be provided electronically. 


Minimum Necessary Standard 


The Privacy Rule usually directs covered entities to limit 
the amount of information disclosed to the minimum neces 
sary to achieve the specified goal [45 CFR § 164.514(d)(1)]. 
This requirement usually applies to disclosures to a public 
health agency. It would not apply, however, if the disclosure 
were required by law, authorized by the individual, or for treat- 
ment purposes. A covered entity may also reasonably rely on a 
public official's determination that the information requested 


is the minimum necessary for the public health purpose. 


Public Health Authorities Performing Covered 
Functions 


Public health authorities at the federal, tribal, state, or local 
levels that perform covered functions (e.g., providing health 
care or insuring individuals for health-care costs), may be sub 
ject to the Privacy Rule's provisions as covered entities. For 
example, a local public health authority that operates a health 
clinic providing essential health-care services to low-income 


persons and performs certain electronic transactions might be 





defined under the Privacy Rule as a covered health-care pro 
vider and therefore a covered entity. Flow charts and interac 
tive tools designed to help determine covered entity status are 
provided online by the Centers for Medicare and Medicaid 
Services, available at http://www.cms.gov/hipaa/hipaa2/sup 
port/tools/decisionsupport/default.asp. 

lhe following are examples of public health authority func 

tions that make them covered entities: 

* Public health authorities as covered health-care pro- 
viders. A public health authority that conducts health care 
as part of its activities is a covered health-care provider if 
it also performs electronic transactions covered by the 
HIPAA Transactions Rule as part of these activities. The 
fact that these activities are conducted in pursuit of a public 
health goal (e.g., vaccinating children or screening a tat 
geted population for sexually transmitted diseases) does 
not preclude the public health authority from being a cov 
ered entity. 


Public health authorities as health plans. Under the 


Privacy Rule, a health plan is an individual or group plan 
that provides, or pays the cost of, medical care. This spe- 
cifically includes government health plans (e.g., Medicare, 
Medicaid, or Veterans Health Administration). However, 
the Privacy Rule defines health plan to exclude govern 
ment-funded programs whose principal activity is the di 
rect provision of health care to persons or the making of 
grants to fund the direct provision of health care to pet 
sons [45 CFR § 160.103]. Examples include the Ryan 
White Comprehensive AIDS Resources Emergency Act. 
Although certain government programs that fund provid- 
ers directly may not be health plans, government programs 
that reimburse providers or otherwise fund providers to 
perform direct health-care services should carefully ana- 
lyze the details of their programs to determine if they are 
performing covered functions. 

* Public health authorities as health-care clearinghouses. 
Although unlikely, a public health authority might be a 
health-care clearinghouse if it receives health information 
from another entity and translates that information from 
a nonstandard format into a standard transaction or stan 
dard data elements (or vice versa). Operators of commu- 
nity health information systems should carefully considet 
whether they meet the definition for a health-care clear 
inghouse. 

* Public health agencies as hybrid entities. A public health 
agency that is a covered entity, and has both covered and 
noncovered functions may become a hybrid entity by des 
ignating its health-care components. By designating itself 
as a hybrid entity, a public health authority can carve out 


its noncovered functions, so that the majority of Privacy 
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Rule provisions apply only to its health-care component, 
which is required to comply with the Privacy Rule 
requirements, including using and disclosing PHI only as 
authorized, meeting the administrative requirements, 
accounting for disclosure of PHI, and providing a notice 
of practices. However, such a designation does not pre 
clude the public health authority from continuing to con 
duct authorized public health functions. A covered entity 
that is also a public health authority may use, as well as 
disclose, PHI for public health purposes to the same 
extent it would be permitted to disclose the PHI as a pub 


lic health vuthority 


The Privacy Rule and Public 
Health Research 


| ] ] 
Che topic of research under the Priv Rule is covered in 


depth in the DHHS report, Protecting Personal Health Infor 
Understanding the HIPAA Privacy Rule 


) ] ] 
Rule provides separate provisions ror disclo 


mation in Research 
6). The Privacy 


sure without individual authorization for public health put 


poses and ror cert n n ) | R 


CFR 164.512 


164.512(b +5 

l 

pertaining to researcn 
| | i] 

stresses the mport nce LISTINYUI ing t tween research and 


practice to ensi 


ire appropriately pro 


tected [4 2 Part 4 For certain activities, this distin 


} 4 | j j 
tion is! uwavs cie I l ission of the dcistinctions 


between public h¢ lth practice 


h iS be yond the scope 


j 


of this document. However ers provide guid 


ince in this area (7—9 


Research Versus Practice 


he definition of vacy Rule 


ind the Common 


vestigation 
including research development esting, and evaluation 


designed to devel ralizable knowledge 


Research i med to t hypothesis, permit conclusions 
to be drawn ind thereby 


, 
clop or contriDute to gener! ul 


11 


public health activities (e.g 


| he majority of | 


izable knowledg« 
public health surveillance, and disease prevention and control 
projects) are based on scientific evidence and data collection 
or analytic methods similar to those used in research. How 
ever, they are not designed to contribute to generalizable knowl 
edge. Their primary purpose is to protect the health of the 
population through such activities as disease surveillance pre 
vention, or control. 

Che Belmont Report (//) defines practice as interventions 


designed solely to enhance the well being of a person, patient, 


or client, and which have reasonable expectation of success. 
lhe report further states that the purpose of medical o1 
behavioral practice is to provide diagnosis, preventive treat- 
ment, or therapy to particular patients. For public health agen- 
cies, the patient is the community. Public health practice 
activities (e.g., public health surveillance, disease control, o1 
program evaluation) are undertaken with the intent to benefit 
a specific community, although occasionally they may pro- 
vide unintended generalizable benefits to others. 

Some public health activities that are initially public health 
practice may subsequently evolve into a research activity (e.g., 
an investigation to determine the cause of an outbreak that 
incorporates a research study evaluating the efficacy of a new 
drug to treat the illness). When that is the case, the disclosures 
may be made initially under the public health provisions of 
the Privacy Rule. But when the activity becomes an ongoing 
research activity, the entity should consider application of the 
relevant research disclosures provisions to continue to obtain 
information for this purpose. Moreover, there may be cases 
where the activity is both research and public health practice 
e.g., an ongoing survey to monitor health conditions in the 
population, data from which can also be analyzed for research 
purposes). In those cases, disclosures may be made either un 
der the research provisions or the public health provisions, as 
uppropriate the covered entity need not comply with both 


sets of requirements 


The Privacy Rule and Other Laws 


¢ Federal laws. Covered entities subject to the Privacy Rule 
are also subject to other federal statutes and regulations 
Che specific relationship of the Privacy Rule and certain 
federal laws is discussed in the preamble to the December 
2000 Final Rule [65 Fed.Reg. 82481]. In certain instances, 
the Privacy Rule imposes requirements in direct conflict 
with other federal laws or regulations. In those instances 
an analysis will be necessary to determine whether the later 
provision was intended to overrule the prior law o1 regu 
lation. 
State laws. As a federal regulatory standard, the Privacy 
Rule preempts only those contrary state laws relating to 
the privacy of individually identifiable health informa- 
tion that have less stringent requirements or standards than 
the Privacy Rule (i.e., more stringent laws remain in 
effect). In addition, DHHS may, upon specific request 
from a state or other entity or person, determine that a 
provision of state law that is contrary to the federal 
requirements and that meets certain additional criteria, 


will not be preempted by the federal requirements. Thus, 
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preemption of a contrary state law will not occur if the 
Secretary or designated DHHS official determines, in 
response to a request, that the state law 1) is necessary to 
prevent fraud and abuse related to the provision of or pay- 
ment for health care; 2) is necessary to ensure appropriate 
state regulation of insurance and health plans to the 
extent expressly authorized by statute or regulation; 3) is 
necessary for state reporting on health-care delivery ot 


costs; 4) is necessary to serve a compelling public health, 


safety, or welfare need, and, if a Privacy Rule provision is 


at issue, if the Secretary determines that the intrusion into 
privacy is warranted when balanced against the need to be 
served; or 5) has as its principal purpose the regulation of 
the manufacture, registration, distribution, dispensing, or 
other control of any controlled substances. The Privacy 
Rule specifically does not preempt contrary state public 
health laws that provide tor the reporting of disease oO! 
injury, child abuse, birth or death, or for the conduct of 
public health surveillance, investigation, or intervention 
[45 CFR § 160.202]. 


Online Resources 


References to non-DHHS sites on the Internet are provided 
as a service to MMWR readers and do not constitute or imply 
endorsement of these organizations or their programs by CD(¢ 
or the U.S. Department of Health and Human Services. CD¢ 
is not responsible for the content of these sites. URL addresses 


listed in MMWR were current as of the date of publication. 


Federal Government Resources 
DHHS Office for Civil Rights — HIPAA guidelines 


hetp://www.hhs.gov/ocr/hipaa 

CDC — Privacy Rule guidelines 
http: www.cdc.gor privacyrule 

Centers for Medicare and Medicaid Services 
hetp://www.cms.gov/hipaa 
http://www.cms.gov/hipaa/hipaa2/support/tools/decision 
support/default.asp 

Health Resources and Services Administration — HIPAA 
http://www.hrsa.gov/website.htm 

National Center for Health Statistics 
hetp://www.cdc.gov/nchs/otheract/phdsc/phdsc.htm 

National Committee on Vital and Health Statistics 
hetp://www.ncvhs.hhs.gov 

National Health Information Infrastructure 


http://www. health.gov/nevhs-nhii 


Indian Health Service — HIPAA 
http://www.ihs.gov/AdminMngrResources/HIPAA/index.ctm 

National Institutes of Health 
http://privacyruleandresearch.nih.gov 

Substance Abuse and Mental Health Services Administration 

— HIPAA 


http://www.samhsa.gov/hipaa 


State Government Resources 
California 
hetp://www.dhs.ca.gov/hipaa 
http://www.ohi.ca.gov/state/calohi/ohiHome.jsp 
http://www.dmh.ca.gov/hipaa 
Colorado 
http://www.cdphe.state.co.us/ HIPAA 
Florida 
http://www.myflorida.com/myflorida/sto/hipaa 
Illinois 
hetp://www.state.il.us/dpa/hipaa.html 
Kentucky 
http://chs.state.ky.us/dms/HIPAA/default.htm 
hetp://dmhmrs.chr.state.ky.us/hipaa.asp 
Maryland 
hetp://www.mhcc.state.md.us/edi/hipaa/_hipaa.htm 
http://dhmh.state.md.us/HIPAA 
Minnesota 
hetp://www.dhs.state.mn.us/hipaa 
Missouri 
http://www. health.state.mo.us/ HIPAA 
New York 
hetp://www.oft.state.ny.us/hipaa/index.htm 
North Carolina 
hetp://dirm.state.nc.us/hipaa 
Ohio 
http://www.state.oh.us/hipaa 
Pennsylvania 
http://www.dpw.state.pa.us/omap/hipaa/omaphipaa.asp 
http://www.insurance.state.pa.us/html/hipaa.huml 
South Carolina 
http://www. hipaa.state.sc.us 
Texas 
http://www. hhsc.state.tx.us/NDIS/NDIS TaskForce.htm! 
Virginia 
hetp://www.dmas.state.va.us/hpa-home.htm 
Wisconsin 


hetp://www.dhts.state.wi.us/ HIPAA 
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Associations, Nonprofit Organizations, 


and Academic Resources 
American Hospital Association — HIPAA 
http://www. hospitalconnect.com/aha/key_issues/hipaa/ 
resources/resources.html 
American Medical Association — HIPAA 
http://www.ama-assn.org/ama/pub/category/4234.html 
Association of State and Territorial Health Officials — 
HIPAA 
http://www.astho.org/?template=hipaa.html 
Georgetown University Health Privacy Project 
http://www. healthprivacy.org 
Joint Healthcare Information Technology Alliance 
http://www. jhita.org 
National Association of Health Data Organizations 


hetp://www.nahdo.org 

National Association of Insurance Commissioners 
hetp://www.naic.org/ | privacy/initiatives/health_privacy.htm 

National Governors Association — HIPAA 
http://www.nga.org/center/topics/1,1188,C_CENTER 
ISSUESD_4324,00. hrm! 

North Carolina Healthcare Information and Communica- 

tions Alliance 


http: www.nchica.org 


Public Health Grand Rounds HIPAA Privacy Rule: 

Enhancing or Harming Public Health? 
http://www.publichealthgrandrounds.unc.edu 

Stanford University Medical School — HIPAA 
http://www.med.stanford.edu/HIPAA 

Workgroup for Electronic Data Interchange — Strategic 

National Implementation Process 


http: www.wedi.org snip 
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Che following concepts and definitions are adapted from 
the regulatory language. For further information, see the cita- 
tions to the Privacy Rule. 

Accounting. An individual has a right to receive an account- 
ing of disclosures of protected health information made by a 
covered entity in the six years prior to the date on which the 
accounting is requested, except for disclosures (a) to carry out 
treatment, payment and health care operations [45 CFR § 
164.506]; (b) to individuals of protected health information 


hem [45 CFR § 164.502]; (c) incident to a use or dis- 


about t 
closure otherwise permitted or required by this subpart, as 
provided in 45 CFR §164.502; (d) pursuant to an authoriza- 
tion as provided in 45 CFR §$164.508; (e) for the facility's 
directory or to persons involved in the individual's care or 
other notification purposes, as provided in 45 CFR §164.510; 
(f) for national security or intelligence purposes as provided 
in 45 CFR §164.512(k)(2), (g) to correctional institutions o1 
law enforcement officials as provided in 45 CFR §$164.512 
(k)(5); or (h) as part of a limited data set in accordance with 
+5 CFR §164.514(e); or (i) that occurred prior to the compli- 
ance date for the covered entity.... Such an accounting must 
meet the following requirements: (1) except as otherwise pro- 
vided by paragraph (a) of this section, the accounting must 
include disclosures of protected health information that 
occurred during the six years (or such shorter time period at 
the request of the individual as provided in paragraph (a)(3) 
of this section) prior to the date of the request for an account 
ing, including disclosures to or by business associates of the 
covered entity; (2) except as otherwise provided by paragraphs 
b)(3) or (b)(4) of this section, the accounting must include 
for each disclosure: the date of the disclosure, the name of the 
entity or person who received the protected health informa 
tion, and if known, the address of such entity or person; a 
brief description of the protected health information disclosed; 
and, a brief statement of the purpose of the disclosure that 
reasonably informs the individual of the basis for the disclo 
sure, or in lieu of such a statement, a copy of the individual's 
written authorization pursuant to 45 CFR § 164.508, or a 
copy of a written request for a disclosure under 45 CFR § 
164.502(a)(2)(ii) or 45 CFR § 164.512, if any. 

If, during the period covered by the accounting, the covered 
entity has made multiple disclosures of protected health 
information to the same person or entity for a single purpose 
under 45 CFR § 164.502(a)(2)(ii) or 45 CFR § 164.512, the 


accounting may, with respect to such multiple disclosures, 


Appendix A 


Selected Privacy Rule Concepts and Definitions 





provide the information required by paragraph (b)(2) of 45 
CFR § 164.528 for the first disclosure during the accounting 
period, the frequency, periodicity, or number of the disclo- 
sures made during the accounting period, and the date of the 
last such disclosure during the accounting period [45 CFR § 
164.528]. 

Modified accounting procedures are also provided for cov 
ered entities making research disclosures involving >50 per- 
sons [45 CFR § 164.528(b)(4)]. 

Business associate. A person who, on behalf of a covered 
entity or of an organized health care arrangement [45 CFR § 
154.501] in which the covered entity participates, but other 
than in the capacity of a member of the workforce of such 
COV ered entity or arrangement, performs, or assists In the pel 
formance of . a function or activity involving the use or 
disclosure of individually identifiable health information, 
including claims processing or administration, data analysis, 
processing or administration, utilization review, quality assur 
ance, billing, benefit management, practice management, and 
repricing; or any other function or activity regulated by this 
subchapter; or provides, other than in the capacity of a mem- 
ber of the workforce of such covered entity, legal, actuarial, 
accounting, consulting, data aggregation [45 CFR § 164.501 
management, administrative, accreditation, or financial ser- 
vices to or for such covered entity, or to or for an organized 
health-care arrangement in which the covered entity partici 
pates, where the provision of the service involves the disclo 
sure of individually identifiable health information from such 
covered entity or arrangement, or from another business asso 
ciate of such covered entity or arrangement, to the individual 

45 CFR § 160.103). 

Covered entity. |) a health plan; 2) a health-care clearing 
house; 3) a health-care provider who transmits any health 
information in electronic form in connection with a transac- 
tion [45 CFR § 160.103). 

Covered functions. Those functions of a covered entity the 
performance of which makes the entity a health plan, 
health-care provider, or health-care clearinghouse [45 CFR § 
164.103}. 

Data aggregation. “With respect to protected health intor 
mation created or received by a business associate in its capac- 
ity as the business associate of a covered entity, the combining 
of such protected health information by the business associate 
with the protected health information received by the busi- 


ness associate in its capacity as a business associate of another 
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covered entity, to permit data analyses that relate to the health- 
care operations of the respective covered entities [45 CFR 
§$164.501]}. 

De-identified health information. Health information that 
does not identify an individual and with respect to which no 
reasonable basis exists to believe that the information can be 
used to identify an individual is not individually identifiable 
information. [45 CFR § 164.514(a)]. 

Disclosure. The release, transfer, provision of access to, or 
divulging in any other manner of information outside the entity 
holding the information [45 CFR § 160.103}. 

Electronic media. |) Electronic storage media including 
memory devices in computers (hard drives) and any remov- 
able/transportable digital memory medium, such as magnetic 
tape or disk, optical disk, or digital memory card; or 2) trans- 
mission media used to exchange information already in elec- 
tronic storage media. Transmission media include, for example, 
the Internet (wide open), extranet (using Internet technology 
to link a business with information accessible only to collabo- 
rating parties), leased lines, dial-up lines, private networks, 


and the physical movement of removable/transportable elec- 


tronic storage media. Certain transmissions, including of 


paper, via facsimile, and of voice, via telephone, are not con- 
sidered to be transmissions via electronic media, because the 
information being exchanged did not exist in electronic form 
before the transmission [45 CFR § 160.103). 

Health care. Care, services, or supplies related to the health 
of an individual. It includes but is not limited to 1) preven- 
tive, diagnostic, therapeutic, rehabilitative, maintenance, or 
palliative care, and counseling, service, assessment, or proce- 
dure with respect to the physical or mental condition, or func- 
tional status, of an individual or that affects the structure or 


function of the body; and, 2) sale or dispensing of a drug, 


device, equipment, or other item in accordance with a pre- 
scription [45 CFR § 160.103). 


Health-care clearinghouse. A public or private entity, 
including a billing service, repricing company, community 
health management information system, community health 
information system, or value-added network or switch that 1) 
processes or facilitates the processing of health information 
received from another entity in a nonstandard format or con- 
taining nonstandard data content into standard data elements 
or a standard transaction or 2) receives a standard transaction 
from another entity and processes or facilitates the processing 
of health information into nonstandard format or nonstand- 


ard data content for the receiving entity [45 CFR § 160.103]. 


Health-care operations. Any of the following activities of 


the covered entity to the extent that the activities are related to 
covered functions: 1) conducting quality assessment and 


improvement activities, population-based activities, and 


related functions that do not include treatment; 2) reviewing 
the competence or qualifications of health care professionals, 
evaluating practitioner, provider, and health plan performance, 
conducting training programs where students learn to prac- 
tice or improve their skills as health-care providers, training of 
nonhealth-care professionals, accreditation, certification, 
licensing, or credentialing activities; 3) underwriting, premium 
rating, and other activities relating to the creation, renewal or 
replacement of a contract of health insurance or benefits; 4) 
conducting or arranging for medical review, legal services, and 
auditing functions, including fraud and abuse detection and 
compliance programs; 5) business planning and development, 
such as conducting cost-management and planning-related 
analyses related to managing and operating the entity, includ- 
ing formulary development and administration, development 
or improvement of methods of payment or coverage policies; 
and 6) business management and general administrative 
activities of the entity [45 CFR § 164.501]. 

Health-care provider. A provider of services, (as defined in 
section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider 
of medical or health-care services, (as defined in section 1861 (s) 
of the Act, 42 U.S.C. 1395x(s)), and any other individual or 
organization that furnishes, bills, or is paid for health care in 
the normal course of business [45 CFR § 160.103]. 

Health information. Any information, whether oral or 
recorded in any form or medium, that 1) is created or received 
by a health-care provider, health plan, public health authority, 
employer, life insurer, school or university, or health-care clear- 
inghouse; and 2) relates to the past, present, or future physical 
or mental health or condition of an individual, the provision 
of health care to an individual, or the past, present, or future 
payment for the provision of health care to an individual [45 
CFR § 160.103). 

Health plan. An individual or group plan that provides, or 
pays the cost of, medical care (as defined in section 2791 (a)(2) 
of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). Health plan 
includes the following, singly or in combination: (i) a group 
health plan as defined in 45 CFR § 160.103 of the Privacy 
Rule; (ii) a health insurance issuer, as defined in 45 CFR § 
160.103 of the Privacy Rule; (iii) an HMO, as defined in 45 
CFR § 160.103 of the Privacy Rule; (iv) Part A or B of the 
Medicare program under title XVIII of the Act; (v) the Med- 
icaid program under title XIX of the Act, 42 U.S.C. 1396 et 
seq.; (vi) an issuer of a Medicare supplemental policy, (as 
defined in section 1882(g)(1) of the Act, 42 U.S.C. 
1395ss(g)(1)); (vii) an issuer of a long-term care policy, 
excluding a nursing home fixed-indemnity policy; (viii) an 
employee welfare benefit plan or any other arrangement that 
is established or maintained for the purpose of offering or pro- 


viding health benefits to the employees of two or more 
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employers; (ix) the health care program for active military pet 
sonnel under title 10, U.S.C.; (x) the veterans health-care pro 
gram under 38 U.S.C. Ch. 17; (xi) the Civilian Health and 
Medical Program of the Uniformed Services (CHAMPUS) 
(as defined in 10 U.S.C 
Service program under the Indian Health Care Improvement 
ac 2 Re 


Health Benefits Program under 5 U.S.C. 8902, et seq.; (xiv) 


1072(4)); (xii) the Indian Health 
1601, et seq.; (xiii) the Federal Employees 


an approved state child health plan under title XX1 of the Act, 
providing benefits for child health assistance that meet the 
requirements of section 2103 of the Act; 42 U.S.C. 1397, et 
seq.; (xv) the Medicare+Choice program under Part C of title 


XVIII of the Act, 42 U.S.C 


(xvi) a high risk pool that is a mechanism established undet 


21 through 1395w-28; 


1395w 

state law to provide health insurance coverage or comparable 

coverage to eligible individuals; (xvii) any other individual o1 

group plan, or combination of individual or group plans, that 

provides or pays for the cost of medical care (as defined in 

section 2791 (a)(2) of the PHS Act, 42 U.S.C. s00ge 91(a)(2)) 
15 CFR § 160.103}. 


Che term health plan excludes: (i) any policy, plan, or pro 
gram to the extent that it provides, or pays for the cost of, 
excepted benefits that are listed in §$2791(c)(1) of the PHS 
Act, 42 U.S.C 


program, other than the one listed in items (i)-(xvi) above, 


300ge-91(c)(1); and, (ii) a government-funded 


whose principal purpose is other than providing, or paying 
the cost of, health care, or whose principal activity is 1) the 
direct provision of health care to individuals; or 2) the mak 
ing of grants to fund the direct provision of health care to 
individuals [45 CFR § 160.103 

Hybrid entity. A single legal entity 1) that is a covered « 
ntitv; 2) whose business activities include both covered and 
noncovered functions; and 3) that designates its health-car 
components [45 CFR § 164.103}. 

Individually identifiable health information. A subset o! 
health information, including demographic information col 
lected from an individual, and 1) is created or received by a 
health-care provider, health plan, employer, or health-care cleat 
inghouse; and, 2) relates to the past, present, or future physi 
cal or mental health or condition of an individual, the provision 
of health care to an individual, or the past, present, or future 
payment for the provision of health care to an individual; and 
that identifies the individual or where there is a reasonable 
basis to believe the information can be used to identity the 
individual [45 CFR § 164.501 

Limited data set. Protected health information that excludes 
certain direct identifiers of the individual or of relatives, 
employers, or household members of the individual. Direct 


identifiers to be excluded can be found in 45 CFR § 


164.514(e)(2). 








Minimum necessary. For any type of disclosure that a coy 


ered entity makes on a routine and recurring basis, that the 
covered entity must implement policies and procedures (which 
may be standard protocols) that limit the protected health 
information disclosed to the amount reasonably necessary to 
achieve the purpose of the disclosure. For all other disclosures, 
covered entities must develop and implement criteria designed 
to limit the protected health information disclosed to the 
information reasonably necessary to accomplish the purpose 
tor which disclosure is sought and review requests for disclo 
sure on an individual basis in accordance with such criteria. A 
covered entity may rely, if such reliance is reasonable undet 
the circumstances, on a requested disclosure as the minimum 
necessary for the stated purpose when (a) making disclosures 
to public officials that are permitted under 45 CFR § 164.512, 
if the public official represents that the information requested 
is the minimum necessary for the stated purpose, (b) if the 
information is requested by another covered entity (c) their 
business associates providing personal services, or (d) docu 
mentation or representations that comply with the applicable 
requirements of 45 CFR § 164.512(i) have been provided by 
an individual requesting the information for research purposes 
[45 CFR § 164.514(d)(3)}. 

[he minimum necessary standard also applies to uses of 
protected health information [45 CFR § 164.514(d)(2)] and 
requests for protected health information [45 CFR § 
164.514(d)(4)}. 

Notice. An individual, with certain exceptions, has a right 
to adequate notice of the uses and disclosures ot protected 
health information that may be made by the covered entity 
and of the individual's rights, and the covered entity's legal 
duties, with respect to protected health information. The 
notice must be written in plain language and contain the fol 
lowing elements: (i) a header as specified in the rule; (ii) a 
description, including at least one example, of the types of 
uses and disclosures that the covered entity is permitted to 
make for treatment, payment, and health care operations, and 
a description of each of the other purposes for which the cov 
ered entity is permitted or required to use or disclose pro 
tected health information without the individual's written 
consent or authorization. If a use or disclosure is prohibited 
or materially limited by other applicable law, the description 
of such use or disclosure must reflect the more stringent law 
(as defined in 45 CFR § 160.202). Each description must 
include sufficient detail to place the individual on notice of 
the uses and disclosures that are permitted or required by the 
Privacy Rule or other applicable law, and a statement that other 
uses and disclosures will be made only with the individual's 
written authorization and that the individual may revoke such 


authorization as provided by 45 CFR § 16 +.508(b)(5). 
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\ separate statement must be included in the notice if a 
covered entity intends to engage in any of the following 
ictivities. The statement should explain that 1) the covered 
entity may contact the individual to provide appointment 
reminders or information regarding treatment alternatives or 
other health-related benefits; 2) the covered entity may con- 
tact the individual to raise funds for the covered entity; or 3) a 
group health plan, health insurer, or HMO with respect to a 
group health plan may disclose protected health information 
to the sponsor of the plan 

he notice must contain a statement of the individual's rights 
with respect to the protected health information and a brief 
description of how the individual may exercise these rights, a 
statement of the covered entity's duties, a statement that indi 
viduals may complain to the covered entity or the Secretary if 
they believe their privacy rights have been violated, contact 
information, and the effective date of the notice [45 CFR § 
164.520 

Payment. |) Vhe activities undertaken by (i) a health plan 
to obtain premiums or to determine or fulfill its responsibility 
for coverage and provision of benefits under the health plan; 
or (ii) a health-care provider or health plan to obtain or pro 
vide reimbursement for the provision of health care; and 2) 
the activities relate to the individual to whom health care is 
provided and include, but are not limited to (i) determina 
tions of eligibility or coverage and adjudication or subroga 
tion of health benefit claims; (ii) risk adjusting amounts due 
based on enrollee health status and demographic characteris- 
tics; (iii) billing, claims management, collection activities, 
obtaining payment under a contract for reinsurance (includ 
ing stop-loss insurance) and related health-care data process- 
ing; (iv) review of health-care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, 
or justification of charges; (v) utilization review activities, 
including precertification and preauthorization of services, con 
current and retrospective review of services; and (vi) disclo- 
sure to consumer reporting agencies of any of the following 
protected health information relating to collection of premi 
ums or reimbursement: (a) name and address; (b) date of birth; 
(c) social security number; (d) payment history; (e) account 
number; and (f) name and address of the health-care provider 
164.501 
Protected health information (PHI). \ndividually identi 


or health plan [45 CFR 


fiable health information that is transmitted by electronic 
media, maintained in electronic media, or transmitted or 
maintained in any other form or medium. PHI excludes indi 


vidually identifiable health information in: (i) education 


records covered by the Family Education Rights and Privacy 


Act (20 U.S.C. 1232g); (ii) records described at 20 U.S.A 


1232g(a)(4)(B)(iv); and (iii) employment records held by a 
covered entity in its role as employer [45 CFR § 160.103}. 

Public health authority. An agency or authority of the 
United States, a state, a territory, a political subdivision of a 
state or territory, or an Indian tribe, or an individual or entity 
acting under a grant of authority from or contract with such 
public agency, including the employees or agents of such pub- 
lic agency or its contractors or individuals or entities to whom 
it has granted authority, that is responsible for public health 
matters as part of its official mandate [45 CFR § 164.501]. 

Examples of public health authorities include state and 
local health departments, CDC, National Institutes of Health 
(NIH), Food and Drug Administration (FDA), and Occupa- 
tional Safety and Health Administration (OSHA). 

Required by law. A mandate contained in law that compels 
an entity to make a use or disclosure of protected health infor 
mation and that is enforceable in a court of law. This term 
includes, but is not limited to court orders and court-ordered 
warrants; subpoenas or summons issued by a court, grand jury, 
a governmental or tribal inspector general, or an administra 
tive body authorized to require the production of informa- 
tion; a civil or an authorized investigative demand; Medicare 
conditions of participation with respect to health-care provid- 
ers participating in the program; and statutes or regulations 
that require the production of information, including statutes 
or regulations that require such information if payment is 
sought under a government program providing public ben 
efits [45 CFR § 164.103}. 

Research. A systematic investigation, including research 
development, testing, and evaluation, designed to develop o1 
contribute to generalizable knowledge [45 CFR § $164.501}. 

Statistical de-identification. A properly qualified statisti 
cian using accepted analytical techniques concludes that the 
risk is limited that the information could be used, alone or in 
combination with other reasonably available information to 
identify the subject of the information [45 CFR § 164.514(b)}. 

Safe harbor method. A covered entity or its agent removes 
a comprehensive set of identifiers enumerated in the Privacy 
Rule, which includes but is not limited to, names, geographic 
subdivisions smaller than states, dates more specific than years, 
contact information, identification numbers and photographic 
images, and has no actual knowledge that the remaining 
information could be used alone or in combination with other 
information to identify the individual who is a subject of the 
information, or the individual's relatives, employers, or house 
hold members. Eighteen specific identifiers will need to be 
removed to achieve de-identification [45 CFR § 164.514(b)]. 

Transaction. \he transmission of information between two 


parties to carry out financial or administrative activities 
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related to health care. It includes the following types of infor- 
mation transmissions: health care claims or equivalent encoun- 
ter information; health care payment and remittance advice; 


coordination of benefits; health care claim status; enrollment 


and disenrollment in a health plan; eligibility for a health plan; 


health plan premium payments; referral certification and 
authorization; first report of injury; health claims attachments; 
and other transactions that the Secretary may prescribe by regu- 
lation [45 CFR § 164.103]. 


Treatment. The provision, coordination, or management 


of health care and related services by one or more health-care 


providers, including the coordination or management of health 
care by a health-care provider with a third party; consultation 
between health-care providers relating to a patient; or the 
referral of a patient for health care from one health-care pro- 
vider to another [45 CFR § 164.501}. 

Use. With respect to individually identifiable health infor 
mation, the sharing, employment, application, utilization, 
examination, or analysis of such information within an entity 
that maintains such information [45 CFR § 160.103}. 
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Appendix B 


Sample Text That Can Be Used To Clarify Public Health Issues 


Following are sample letters that can be used to help clarify 
Privacy Rule issues among covered entities and public health 
authorities (e.g., CDC, National Institutes of Health, Food 
and Drug Administration, Substance Abuse and Mental Health 
Services Administration, Health Resources and Services 
Administration, state and local health departments). Public 
health authorities can use these letters as templates by insert- 
ing names of the appropriate individuals, projects, agreements, 
laws, activity types, covered entities, public health authorities, 


and authorized agencies. 


From a public health authority to a covered entity, clari- 
fying rules regarding disclosure 
To Whom it May Concern: 

[Public health authority] is an agency of {parent authority] 

and is conducting the activity described here in its capacity as 
a public health authority as defined by the Health Insurance 
Portability and Accountability Act (HIPAA), Standards for 
Privacy of Individually Identifiable Health Information; Final 
Rule (Privacy Rule) [45 CFR §164.501]}. Pursuant to 45 CFR 
§164.512(b) of the Privacy Rule, covered entities such as your 
organization may disclose, without individual authorization, 
protected health information to public health authorities “ 
. authorized by law to collect or receive such information for 
the purpose of preventing or controlling disease, injury, o1 
disability, including, but not limited to, the reporting of dis- 
ease, injury, vital events such as birth or death, and the con- 
duct of public health surveillance, public health investigations, 
and public health interventions . . . ” 

[Public health authority] is conducting [project], a public 
health activity as described by 45 CFR § 164.512(b), and is 
authorized by {law or regulation]. The information being 
requested represents the minimum necessary to carry out the 
public health purposes of this project pursuant to 45 CFR 
§164.514(d) of the Privacy Rule. 

If you have questions or concerns please contact [project 


leader]. 


From a public health authority to an authorized agency, 
providing grant of authority 
Dear [authorized agency}: 

lhis letter serves as verification of a grant of authority from 
[public health authority] for you to conduct the public health 


activities described here, acting as a public health authority 


Under the Privacy Rule 





pursuant to the Standards for Privacy of Individually Identifi 
able Health Information promulgated under the Health 
Insurance Portability and Accountability Act (HIPAA) [45 
CFR Parts 160 and 164)]. Under this rule, covered entities 
may disclose, without individual authorization, protected 
health information to public health authorities “ . . . autho- 
rized by law to collect or receive such information for the pur- 
pose of preventing or controlling disease, injury, or disability, 
including, but not limited to, the reporting of disease, injury, 
vital events such as birth or death, and the conduct of public 
health surveillance, public health investigations, and public 
health interventions . . . .” The definition of a public health au- 
thority includes “ . . . an individual or entity acting under a grant 
of authority from or contract with such public agency . . . .” 
[Authorized agency] is acting under (contract, grant, coop- 
erative agreement] with [public health authority] to conduct 
[project], which is authorized by [law or regulation]. {Public 
health authority] grants this authority to [authorized agency] 
for purposes of this project. Further, [public health authority] 
considers this to be [activity type], for which disclosure of 
protected health information by covered entities is authorized 


by 45 CFR § 164.512(b) of the Privacy Rule. 


From a public health authority to a covered entity, con- 
firming grant of authority to an authorized agency 
fo Whom It May Concern: 

[Public health authority] is an agency of [parent authority] 
and is a public health authority as defined by the Health 
Insurance Portability and Accountability Act (HIPAA), Stan- 
dards for Privacy of Individually Identifiable Health Informa- 
tion; Final Rule (Privacy Rule)[45 CFR § 164.501]. Pursuant 
to 45 CFR § 164.512(b) of the Privacy Rule, covered entities 
may disclose protected health information to public health 
authorities “ . . . authorized by law to collect or receive such 
information for the purpose of preventing or controlling dis- 
ease, injury, or disability, including, but not limited to, the 
reporting of disease, injury, vital events such as birth or death, 
and the conduct of public health surveillance, public health 
. bas The defi- 


. an individual 


investigations, and public health interventions . . 
nition of public health authority includes ~ 
or entity acting under a grant of authority from or contract 
with such public agency ’ {45 CFR § 164.501]. [Autho- 
rized agency] is acting under |[contract, grant or cooperative 


agreement] with [public health authority] to carry out [project]. 
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lhrough this grant of authority, [authorized agency] may func- 
tion as a public health authority under the Privacy Rule for 
purposes of this project. 

[Project] is a public health activity as described by 45 CFR 
§ 164.512(b) referenced previously, and is authorized by [law 


or regulation]. The information being requested represents the 


minimum necessary to carry out the public health purposes of 


this project pursuant to 45 CFR § 164.514(d) of the Privacy 


Rule. The Privacy Rule provides that covered entities “ 


may rely, if such reliance is reasonable under the circumstances, 
on a requested disclosure as the minimum necessary for the 
stated purposes when making disclosures to public officials 


that are permitted under 45 CFR § 164.512, if the public 


official represents that the information requested is the mini- 


mum necessary for the stated purposes(s).’ 
If you have questions or concerns please contact [project 


leader for authorized agency; public health authority contact]. 
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